Tableau Bridge solves the fundamental connectivity problem for organisations migrating to Tableau Cloud: how to maintain live connections and scheduled extracts against data sources that sit behind a firewall. It is a lightweight agent that runs on-premises, proxies Tableau Cloud requests to internal databases, and enables the full Tableau Cloud feature set without requiring data sources to be publicly accessible.
Tableau Bridge is the connectivity agent that allows Tableau Cloud to maintain live query connections and scheduled extract refreshes against data sources that sit behind a corporate firewall or are otherwise not publicly accessible from the internet. It is an installed software agent that runs on a machine within the private network, receives connectivity requests from Tableau Cloud, and proxies them to the data sources on behalf of Tableau Cloud. Without Bridge, Tableau Cloud is limited to data sources that are directly reachable from the internet — cloud data warehouses with public endpoints, files uploaded to Tableau Cloud, or data sources accessible via cloud connectors. With Bridge, Tableau Cloud can reach the same on-premise databases, internal API endpoints, and private network data sources that Tableau Server has always been able to access.
Why Bridge Matters for Cloud Migration
The most common barrier to Tableau Cloud adoption is data source connectivity. Most organisations that have operated Tableau Server for years have a significant portfolio of data sources that are not publicly accessible: on-premise SQL Server, Oracle, and PostgreSQL databases; SAP systems; internal REST APIs; files on network shares. Moving to Tableau Cloud without addressing this connectivity requirement would mean either moving the data sources to cloud-accessible locations first — a significant project in itself — or losing extract refresh and live connection capabilities for that content.
Bridge solves this without requiring any changes to the data sources or the network perimeter. The agent runs inside the firewall, initiates outbound connections to Tableau Cloud (which is firewall-friendly since it is outbound traffic, not inbound), and maintains persistent connectivity for the duration of the Tableau Cloud session. Data source administrators do not need to open inbound firewall ports or expose databases to the internet.
Bridge Architecture
Bridge uses a reverse-proxy architecture. The agent is installed on a machine inside the private network — typically a Windows or Linux server with network access to the relevant data sources. The agent maintains a persistent outbound connection to Tableau Cloud over HTTPS (port 443). When a Tableau Cloud user triggers a live query or an extract refresh for a data source managed by Bridge, Tableau Cloud routes the request through the persistent connection to the Bridge agent, which executes the query against the data source and returns the results.
Key architectural characteristics:
**Outbound-only connectivity** — Bridge never accepts inbound connections. All communication is initiated by the Bridge agent outbound to Tableau Cloud. This means no firewall rule changes are required on the inbound side, and the security perimeter is unchanged.
**Agent-to-data-source connectivity** — The Bridge agent must have network access to the data sources it serves. If the data source requires specific network routing or credentials, the machine running Bridge must have that access and those credentials.
**Multiple agents for redundancy and scale** — Bridge supports multiple agents registered to the same Tableau Cloud site. Multiple agents provide both redundancy (if one agent is unavailable, another handles requests) and scale (refresh load distributed across agents). For production environments with significant extract refresh volume, multiple Bridge agents are recommended.
**Agent pools** — Bridge agents can be organised into pools, with specific data sources assigned to specific pools. This allows different data sources to be served by different sets of agents — separating production data sources from development, or organising agents by data centre or network segment.
Supported Connections
Bridge supports a large subset of the connectors available in Tableau Server and Tableau Desktop:
**Relational databases** — SQL Server, PostgreSQL, MySQL, Oracle, IBM Db2, Teradata, and other JDBC/ODBC-accessible databases.
**Cloud databases via private endpoints** — Snowflake, BigQuery, Redshift, and Azure Synapse environments with private endpoints or VPC configurations that are not publicly accessible.
**SAP systems** — SAP HANA, SAP BW, SAP NetWeaver via the appropriate connectors.
**File-based sources** — Excel files, CSV files, and other flat file sources on network file shares, provided the Bridge agent has access to those file system locations.
Bridge does not support all connectors available in Tableau. Live connections to some data source types require cloud-accessible endpoints. The current Tableau documentation lists the supported connectors for Bridge; validate connector support early in migration planning to avoid late-stage surprises.
Extract Refresh vs Live Connection
Bridge supports both extract refreshes and live connections, but with different characteristics and performance implications.
**Extract refreshes** — Bridge is well-suited for scheduled extract refreshes. The extract refresh runs as a background job, the Bridge agent queries the data source and returns the full result set, and the extract is updated in Tableau Cloud. Refresh scheduling, monitoring, and failure alerting work the same way as with cloud-accessible data sources.
**Live connections** — Bridge supports live query connections for some data source types, but with latency implications. Every live query from a Tableau Cloud user is routed through the Bridge agent to the data source and back. If the data source is geographically distant from the Bridge agent, or if the Bridge agent's network connection to Tableau Cloud has latency, live query performance will be degraded compared to a direct cloud connection. For high-volume live query workloads, co-locating the Bridge agent as close to the data source as possible minimises this latency.
For most on-premise data sources, extract-based connectivity — with appropriate refresh frequency — delivers better user experience than live query through Bridge. Live query through Bridge is best suited for data sources where freshness requirements are incompatible with extract scheduling.
Deployment and Configuration
Bridge deployment involves several steps:
**Install the agent** — Download the Bridge client installer from Tableau Cloud and install it on a Windows or Linux machine inside the private network. The machine requires outbound HTTPS access to Tableau Cloud and network access to the relevant data sources.
**Register the agent** — Log in to Tableau Cloud with Site Administrator credentials and register the agent. The agent appears in the Bridge settings of the Tableau Cloud site administration panel.
**Configure data source connections** — For each data source that should be served by Bridge, configure the published data source in Tableau Cloud to use the Bridge connection. This can be done during data source publishing from Tableau Desktop by selecting the Bridge option for the connection, or by modifying existing published data sources through the Tableau Cloud UI.
**Manage credentials** — Bridge agents handle data source credentials through the same embedded credentials mechanism as Tableau Server. Credentials for each data source are stored securely on the Bridge agent and used when executing queries on behalf of Tableau Cloud.
**Monitor agent health** — The Tableau Cloud site administration panel shows the status of registered Bridge agents — connected, disconnected, or error. Monitoring agent health is part of the operational runbook for Tableau Cloud environments that depend on Bridge.
Bridge in Cloud Migration Planning
For organisations migrating from Tableau Server to Tableau Cloud, Bridge is typically addressed in the middle phase of migration planning — after the decision to migrate has been made but before the migration execution begins.
The migration planning process should:
1. Audit the current Tableau Server environment to identify all published data sources and their connection types — cloud-accessible vs. requiring Bridge.
2. Validate that all required connectors are supported by Bridge. Flag any unsupported connectors early; they may require data source migration (moving the data to a cloud-accessible location) rather than Bridge deployment.
3. Design the Bridge agent deployment — how many agents, where they run, which agent pools serve which data sources.
4. Test live query and extract refresh performance through Bridge before migrating production workloads. Performance characteristics differ from direct database connections and should be validated with representative query loads.
5. Plan the transition — the period during which Tableau Server and Tableau Cloud run simultaneously, with Bridge handling cloud connectivity while Server handles the remaining workloads.
Bridge is mature technology and works reliably for the data source types it supports. The migration challenges are usually in the planning and testing phases — identifying which data sources need Bridge, validating connector support, and testing performance — not in the Bridge deployment itself.
Our Tableau consulting practice manages Tableau Server to Cloud migrations including Bridge deployment and configuration. Contact us to discuss the connectivity architecture for your Tableau Cloud migration.
A former Microsoft data architect audits your data foundation, identifies your top priorities, and sends you a written plan. Free. No pitch.
Book a Call →