When performing a restore in On Demand Recovery which includes objects/attributes which exist in the on premise environment the On Demand module contacts an "Azure Relay" service which is configured in the Quest Azure tenant. The"Quest Recovery Manager Portal Access" service in the on premise environment then contacts "Azure Relay" service in the cloud over HTTPS (port 443). The connection only needs to be opened from the on premise Recovery Manager server to the "Azure Relay" service in the cloud. Incoming connections to the Recovery Manager server can be blocked.
The best approach is to whitelist the DNS name for the Azure WCF Relay, opening only port 443 to *.servicebus.windows.net