For the on-prem workers in a hybrid deployment, which ports need to be open inbound? Doc mentions 4200 and 443 outbound to Cribl cloud, but is communication from the Cloud back to the worker also on 4200? Or another port?
Communication is always initiated by the worker to the leader in a request/response model.
No inbound communication is required. All data is transferred over the outbound connection.
OK so what comes back to the worker from the cloud would be a response on the same port that the worker used for the request, correct?
Correct. It's the same way you don't need to open inbound ports to browse websites.