With Azure Relay, you can connect your on-premises application with a gateway in Azure, without having to open a firewall connection or make any other big adjustments to your on-premises network.
You can create an Azure Relay service in the Azure portal. Inside the Azure Relay service, a secure connection is created by using an outbound port and a bi-directional connection to your on-premises application. This connection is dedicated to one client and encrypted using Transport Layer Security (TLS). The on-premises application imports the Azure Relay namespace and makes a call to the Azure Relay service in the Azure portal using access keys for authentication:
Azure Relay services support peer-to-peer traffic, one-way, request/response traffic, publish/subscribe scenarios, and bi-directional socket communication for increased point-to-point efficiency.
The difference between using Azure Relay services instead of using a VPN to create a hybrid connection is that the Azure Relay service can be scoped to one application on a single machine instead of using one connection for all sorts of connection types. Azure Relay services offer two features, a hybrid connection and WCF relays, that are different implementations, but both share the same gateway.