Data Bridges

注記

Data Bridges is in Public Preview. It might have known issues, might not include all intended features, and is subject to change without notice.

Access is currently limited to customers nominated for the Public Preview program. If you are not part of the Public Preview but would like to participate, contact your Alteryx account manager to request access.

重要

Data Bridges doesn’t support high availability (HA).

Alteryx Data Bridges enables workflows running in Workspace Execution to securely connect to customer-managed data sources. It uses AWS PrivateLink to establish connectivity, allowing access to private resources without exposing them to the public internet.

No changes to existing workflows are required. The Alteryx Engine connects to data sources using the same hostnames and ports it uses when running inside the network.

Data Bridges is designed for use with Workspace Execution on the Alteryx Data Plane. It is the only supported method for securely connecting those workflows to customer data sources without requiring public internet access.

Billing and Entitlements

Data Bridges is available on the Enterprise 2025 tier of the Alteryx One Platform. Earlier editions don’t include this capability.
Your right (“entitlement”) to use Data Bridges is tied to your Billing Account. Each Billing Account can create one or more Bridge Client resources.
To set up a Data Bridge in Admin Console > Data Bridges, you must be an admin on the Billing Account associated with your Alteryx One subscription.

Terminology

Bridge Client: A lightweight AMD64 Amazon Linux 2023 binary deployed in a customer’s AWS Virtual Private Cloud (VPC). It works with AWS PrivateLink to provide a private, authenticated connection between Alteryx and customer data sources—without using the public internet.
AWS PrivateLink: An AWS service that enables private connectivity between VPCs and AWS or third-party services (such as the Bridge Client) using private IP addresses. Traffic doesn’t traverse the public internet.
Data Source: Any customer-managed database or service that is reachable over TCP.
Workspace Execution: Lets users build workflows in Designer Desktop, then save, schedule, and run them in Alteryx One using cloud-based compute and storage instead of a local machine.
Alteryx Data Plane: Alteryx's multi-tenant cloud execution environment, where cloud resources are securely shared across multiple customers.

System Architecture Overview

This diagram shows how Alteryx Data Bridges securely connects Workspace Execution workflows to customer-managed data sources while keeping all customer data on private networks.

Data Flow (Blue Arrows)

Workflows running in Workspace Execution on the Alteryx Data Plane initiate connections to data sources using standard host names and ports.
Traffic flows privately over AWS PrivateLink into the customer’s AWS VPC.
The Bridge Client, running inside the customer network, forwards the traffic to the target data source (such as a database).
Data travels back along the same private path to the executing workflow.

Metadata and Control Flow (Orange Arrows)

The metadata and control flow manages configuration, provisioning, and lifecycle management, and never carries customer data:

The customer configures the Data Bridge and Network Mappings through the Alteryx One Platform user interface.
Configuration is transmitted to the Alteryx Data Plane and eventually the Bridge Client via AWS Private Link.

This separation ensures that control and orchestration traffic is isolated from customer data traffic, improving both security and reliability.

Data Bridge and Workspace Configuration Options

Each Data Bridge can be associated with one or more workspaces. Each workspace can also be associated with zero, one, or multiple Data Bridges.

If high isolation between workspaces is required, we recommend a 1-to-1 mapping between a Data Bridge and a workspace. For most common scenarios, a single Data Bridge connected to multiple workspaces is recommended for easier management.

Admins control which connections can use a Data Bridge during setup. This ensures connections are made only to admin-approved data sources.

Summary

Customer data flows only through private network paths between workflows at runtime and customer infrastructure.
Metadata, provisioning, and operational traffic are handled separately by Alteryx services.
No changes to workflows are required, and customer data sources don’t need to be publicly accessible.
This architecture allows customers to run desktop-authored workflows in the cloud while maintaining the same security posture as running inside their own network.

Customer Workflow

Prerequisites

Alteryx One Prerequisites

Your organization is on the Enterprise 2025 tier of the Alteryx One Platform. Earlier editions don’t include Data Bridge.
You have access to the Billing Account associated with your Alteryx One subscription.
You are an admin on that Billing Account in order to create and manage Bridge Client resources.
Workspace Execution is enabled and running on the Alteryx Data Plane for the workspace that will use the Data Bridge.
You have the necessary internal approvals and credentials to access the private data sources you intend to connect via Data Bridge.
The data sources you want to access are not exposed on the public internet (for example, they are only reachable over private networks or VPN).

AWS Prerequisites

You have an AWS account that will host the Bridge Client.
The data sources you want to access are reachable through at least one AWS VPC.
You have permissions in that AWS account to:
- Create and manage EC2 instances (for hosting the Bridge Client)
- Configure AWS PrivateLink endpoints (if applicable)
- Manage network and security resources (VPC, Security Groups, etc.)
The AWS environment has network connectivity to the private data sources that will be accessed via Data Bridge.

Recommended EC2 Instance Sizes

The following are example starting points based on general AWS best practices, not a hard product requirement. Validate with your internal cloud or infra team and adjust as needed for your workloads.

Start with t3.small (2 vCPU, 2 GiB RAM) for development, testing, or very light usage.
Use t3.medium (2 vCPU, 4 GiB RAM) as the default for most production workloads.
Scale up (for example t3.large or m6i.large) if CPU or memory is consistently high or you expect heavy concurrent workloads.

Set Up a Data Bridge

Follow these steps to configure a Data Bridge. Once complete, Workspace Execution workflows in the associated workspaces will have access to the connected Data Sources.

Create a Data Bridge

In Alteryx One, go to Admin Console > Data Bridges. Then select Create Data Bridge. Enter:
- Data Bridge Name
- Region: The region must match your VPC region and should default to the region you are currently in.
- Availability Zone ID: The Availability Zone ID identifies the AWS availability zones where this endpoint is available.
- Port: The port is used to connect the Data Bridge to Alteryx. The default is 9001.
Select Next.
On the next page, you are prompted to install and configure the Bridge Client binary in your VPC.
- Download the Bridge Client binary file from the Licensing Portal.
  Make the binary executable. The Bridge Client binary must have executable permissions before it can be run.
- Import Bridge Client to EC2 with AWS Secret Access:
  In AWS, create an EC2 (Amazon Linux AMI) instance that can connect to your private data source and has permission to read or write secrets in AWS Secrets Manager. For more information on how to create an EC2 instance, refer to the AWS documentation Get started with Amazon EC2.
  Then, import the Bridge Client into the instance.
- Save configuration snippet to a file:
  Copy and paste the snippet into a configuration file named bridge-client-config.json, which will be referenced by the Bridge Client.
  Example:
```
{
  "logging": {
    "logLevel": "info", <This can also be "debug">
    "logFormat": "json"
  },
  "bootstrap" : {
    "storageType": "secretsManager"
    "secretName": "<Name of the AWS Secrets Manager secret where the Bridge Client will store its private key. The Bridge Client will create and populate this secret automatically.>"
  },
  "libp2pPort": 9001,
  "libp2pBindIP": "<Private IPv4 address of EC2 Instance that the NLB Target Group Points To On A PrivateLink Endpoint Service.>",
  "resourceFile": "/home/ec2-user/resources.json"
}
```
- Create the resources.json file:
  Create a file named resources.json. This file is required for the Bridge Client to start and manage resources at runtime.
  The file must contain an empty JSON object ({}) and must not be blank.
- Run Bridge Client as a process:
  Use systemd to run the Bridge Client as a long-running process.
  Example:
```
[Unit]
Description=Bridge Client

[Service]
ExecStart=/home/ec2-user/bridge-client -c /home/ec2-user/bridge-client-config.json
Restart=always
RestartSec=30s

[Install]
WantedBy=multi-user.target
```
  Start the Bridge Client and enable auto-start with this example command:
```
sudo systemctl start bridge-client
sudo systemctl enable bridge-client
```
  From the stdout, record the Bridge Client peer ID.
  - After you start the Bridge Client with the command above, retrieve the peer ID by running the following command:
    sudo journalctl -u bridge-client -n 500 -r --no-pager \ | grep -m1 '"peerID"' \ | sed -E 's/.*"peerID":"([^"]+)".*/\1/'
  - Alternatively, manually look for a log line similar to the following:
    {"level":"info","ts":"2025-10-18T01:17:27Z","caller":"bootstrap/bootstrap.go:47","msg":"peerID","name":"bridge_client","peerID":"QmA7kT2Yp8ZLxNwC4H6B5eVJg9sDoUScmRyb3FhXPaMq"}
  - The peerID value is randomly generated and differs for each Bridge Client. Note that each Bridge Client should use or have its own private key. Private keys are and should not be reused between Bridge Clients.
- Setup PrivateLink Endpoint Service:
  Once the installation is complete, set up the PrivateLink Endpoint Service in your VPC.
  注記
  The Load Balancer must include two Availability Zone (AZ) IDs, and one of them must match the AZ where the Bridge Client is deployed.
  Select Next once the Endpoint Service is ready.
Go back to Alteryx One > Admin Console > Data Bridges. Enter:
- The Endpoint Service Name
- The Bridge Client peer ID recorded in step 2.
Select Create Data Bridge.

Now you can start adding Workspaces.

Add a Workspace

Once you’ve created a Data Bridge in Admin Console, you can add one or more Workspaces to this Data Bridge. The workspace association process typically takes 13–15 minutes to complete.

In Alteryx One > Admin Console > Data Bridges, select Add Workspace.
A window Add Workspace opens.
- Select a Workspace from the dropdown. Only workspaces with Workspace Execution enabled are shown. Then select Next.
- The IAM role is displayed. Copy and paste it to the Allow Principals list in your private VPC. For more information on configuring the AWS IAM Identity Center, refer to Getting started with IAM Identity Center or Configuring IAM Identity Center authentication with the AWS CLI.
  Once done, select Next.
- A PrivateLink Endpoint has been created. Select Confirm to test the connection.
  If the test is successful, continue to Create a New Network Mapping.
- Accept the Private Endpoint connection from the Alteryx account.

Create a New Data Source Network Mapping

Create a network mapping to allow the Data Bridge to route traffic to a specific private data source. The network mapping typically takes 10–20 seconds to be created.

In Alteryx One > Admin Console > Data Bridges, select New Network Mapping.
A window New Network Mapping opens. Enter:
- Name
- Description
- Host: This is the exact hostname or IP address from your data source connection in Connection Manager or Designer.
- Port: The port number configured for your data source.
Then select Create.

Troubleshooting and FAQ

Common Installation and Configuration Issues

Connectivity or DNS Errors

If you experience connectivity failures, check for common DNS resolution issues.

Symptom: Bridge Client cannot connect to Alteryx Cloud or customer data sources.
Likely cause: Misconfigured VPC networking or incorrect DNS settings.
Next steps: Confirm VPC DNS settings, PrivateLink endpoint configurations, and firewall rules.

Connection Limits

To provide DDoS (Distributed Denial-of-Service) protection, the Bridge Client limits incoming concurrent connections to 256 per data source. Contact Alteryx Support if you need to increase this limit.

Metrics and Support

If you need help debugging the Bridge Client, call the /metrics.json endpoint to retrieve a JSON-formatted status report. Attach this output to your support ticket or message so the support team can review the issue.

The Bridge Client also exposes a Prometheus-style /metrics endpoint, which customers can scrape to create dashboards or analyze the data independently.

Upgrade and Compatibility

Compatibility

Data Bridge is not supported in:

Private Data Processing deployments
Private Data Storage configurations

Upgrades

Upgrades to the Bridge Client are typically required when new features or security updates are released.
Public Preview assumes backward compatibility. However, upgrade instructions will be provided if needed.

このセクションの内容: