The way hybrid works is that you have a local (scalable) Tyk gateway, it synchronises API definitions with Tyk Cloud, and uses Tyk Cloud as a master resource for generated access tokens, once they are cached locally they are valid until deleted. Tyk Hybrid nodes will synchronise access analytics back up Tyk Cloud.
Yes, the Tyk Docker instance listens for requests. Yes, it authenticates against Tyk Cloud, and yes, it then proxies if authorised.
You log into your Tyk Cloud dashboard and set up your API definition as you would with a cloud based setup, just that targets you define can be inside your network as you are doing your traffic handling locally.
The Tyk Hybrid container must be on your network and be able to see your API, it can live behind your firewall, so long as it can communicate with Tyk Cloud, so you can use a private subnet with Tyk Hybrid since Tyk will prxy inside your network once traffic hits the container.
No, you just need to configure your API in Tyk Cloud admin dashboard with your API on
172.17.0.0/16, if Hybrid is set up and running, then you should be able to send traffic to your hybrid container (if it is installed on your network) and see it proxied to your target node.