As you already learned in Chapter 3, Deploying and Synchronizing Azure Active Directory, replication traffic for your hybrid identities normally goes over the internet. It's only encrypted using SSL on port 443.
There is an option to optimize security for that traffic by placing the VMs in Azure. They will still communicate with the Azure public IP from Azure AD, but the traffic is handled on the internal switches and router from Microsoft and the traffic doesn't leave the Azure datacenter.
To get the AD account from your on-premises setup, you build up a VPN tunnel or use ExpressRoute to build a secure connection. Afterwards, you place an AD domain controller (DC) in Azure and replicate from a bridgehead DC in your on-premises datacenter.
The following diagram shows the concept and VM placement: