The optimal solution is to run self-hosted build agents on a server that is open to the internet and setup an agent pool in Azure DevOps Services for them. You'll want to use Deployment Groups for deployments, and install deployment group agents on target servers, where they'll just need outbound 443 access to communicate with Azure DevOps Services.
If that isn't possible, you'll have to install deployment agents on the build machine, which will then see your other on-premise servers. However, this is an unsatisfactory solution because you'll either have to rely on WinRm capabilities for deployments, or expose too much network between your build server and other on-premise servers.
Take a look at the agent-documentation and especially the communication subsection:
Or this old blog post, from which the communication section originates:
Because Azure DevOps Services and Azure DevOps Server are essentially the same product, I don't believe there is a useful way to connect them. Given that you wish to keep the repos in Azure DevOps Services, I assume (but don't know) that you're aiming to merge Azure DevOps Services with on-premise builds and deploys. In other words, you want to operate build and deployment group agents on-premises.