As per hybrid communication documentation https://docs.microsoft.com/en-us/azure/biztalk-services/integration-hybrid-connection-overview hybrid connections does not require any inbound ports to be opened in firewall.
But without an inbound port how does the communication happen with on premise resource from outside world? I understand the Hybrid connection manager (HCM) acts as a bridge for communication, but how does HCM, which resides in corporate network receive messages from Azure?
But without an inbound port how does the communication happen with on premise resource from outside world?
Both parties (Web App and on-prem) open outbound connections to the Hybrid Connection endpoint - which is really just Service Bus Relay underneath. The HC endpoint then patches together the two TCP pipes.
Here's a picture:
You can also do High Availability with Hybrid Connections, just use the same Connection String on both Hybrid Connection Managers - load-balancing and failover will be activated:
Note there's a new Hybrid Connections offering (v2), which removes the dependency on BizTalk namespaces. More on that here: https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
