Does our SCOM environment need internet access
SCOM will need access to the internet and firewalls can be configured to only allow traffic to the managed application running in Azure.
The workflows can be configured to run on specific Management Servers in SCOM using Resource Pools. Allowing only the specific servers in the resource pools for the connector allows you to configure specific rules for those machines.