I found an excellent post on the question whether to use Hybrid Connections or a Relay. Both techniques actually use the relay concept under the covers. That essentially means both techniques are firewall friendly. No inbound ports are required to expose on premise services, just outbound connections. In fact, there aren’t that many features with Hybrid Connections which would give you a big benefit versus what you might get with Service Bus Relay. So the important question remains: What’s the difference?
First of all a software agent gets installed on premise if you are using Hybrid Connections. With Service Bus Relays nothing gets installed on premise and you can either modify and expose the service itself or build a facade WCF Service (or the WCF Routing Service) and use a so-called relay binding. Note that relays can only be called from WCF clients. Another angle to look at it. Hybrid Connections requires the BizTalk Services feature. This gives you some more integration features, but it also comes with a higher cost. Service Bus Relay is a smaller feature within Azure and is currently lower cost.
Scenarios when it’s best to use Hybrid Connections:
•The client is hosted inside of Azure
•You want to integrate directly with a resource, which is not hosted in WCF. Eg: you want to connect directly to a database
•The client wanting to connect to the resource is not able to talk WCF and perhaps isn’t even a Microsoft technology
•You want to create a point to point tightly coupled connection from a cloud resource to an on premise resource
•You are already using Hybrid Connections in your architecture
Scenarios when it’s best to use relays:
•The client is hosted outside of Azure
•The client is hosted on a resource in Azure which is not supported by Hybrid Connections (see documentation for more info)
•You want to connect your WCF service directly to the cloud rather than having an on-premise man in the middle style agent installed
•You are already using Service Bus Relay in your architecture
Other differences:
- From a security perspective there are some notable differences. If you use hybrid connections you use SAS which is abstracted from the consuming technology. Using Service Bus Relay you need to use ACS. This means your client needs to be able to get an ACS token via WCF bindings or REST.
- With Hybrid Connections you’re talking to a service at a port level. This means that you can connect to any service exposed at that address and on that port. If we are bridging through to an IIS server we would be able to get to all WCF services in this WCF component on that port (for instance port 80). Obviously this could be a problem, although there may be some application specific security. With Service Bus Relay things are slightly different. You are able to configure the service to only use specific WCF services to open an endpoint in the cloud.
Further information can be found at the following link: blogpost
Think * Share * Integrate 
One good point to mention here is that Hybrid Connections are Free (5 Hybrid Connection) when using a Azure Website in Standard mode.