Hi @ggenti122 ,

please take a look at:

Performance and Scalability Guide for Cisco Identity Services Engine 

for Latency and Replication, search for Cisco ISE Deployment Scale Limits.

for VM Specs, search for Cisco ISE Hardware Appliances.

and

Cisco ISE Installation Guide, 3.4 - Cisco Secured Network Server Series Appliances and Virtual Machine Requirements

for Disk Sizing or I/O Performance, search for VMware Virtual Machine Requirements, pay special attention to Storage and File System.

Note: for an overview: ISE - What we need to know about SNS / VM 

Hope this helps !!!

1. Can we deploy the ISE VM in Azure as a Policy Service Node (PSN) and register it to the main ISE in Europe?
   Yes as long as the PSN in Azure has IP connectivity (allow the protocols listed in the installation guide) to PAN and MNT nodes in Europe. PSNs also communicate between each other and you should check the install guide to see what ports need to be opened.

2. How does latency and replication work between Azure (USA) and the main node in Europe? Any concerns?
   It depends on your carrier/ISP and I would assume that the latency across the Atlantic is pretty decent these days. There are minimum latency values that ISE needs (in the install guide). I have experienced PSN's behaving erratically over slower WAN links. ISE will log Alarms in these cases because it's really sensitive to not getting a response in expected time. If the situation is really bad, then a remote node can end up being out of sync, and will need a manual sync up. That's not a fun exercise if it happens regularly. Check you latency with some iPerf or traceroute tests. ICMP would get the worst treatment in any transport - so that should give you the worst case - ISE uses TCP for its comms and that means you might have better results than tested with traceroute/ping.

3. What are the minimum VM specs recommended for ISE in Azure (we expect light to moderate load at the remote site)?
   Install Guide. I don't stress over making PSNs any bigger than they need to be. If you create efficient Policy Sets and don't do stupid things on your PSN, you should be fine with the Small or Very Small PSN footprint. It depends what you plan to do with your PSN. Profiling can add some extra overhead - but it depends what exactly you're doing there. Cisco tend to over exaggerate the requirements - if you look at the utilisation data from vCenter (for example) you will see just how much REAL memory and REAL CPU MHz have been consumed over time. Cisco tests for the worst case and most heavily loaded system just so you can rest assured it will work.

4. Is there any guidance on disk sizing or I/O performance that must be considered during deployment?
   I used to make PSN's 300GB because they don't store much data and anything larger seemed like a waste. But due to ISE bugs and lack of cleaning up itself, it's become custom to make PSN's 600GB to allow for patching junk and other junk to not cause a patch/upgrade to fail. You might find that of that 600GB only 100GB is actually used. But so be it. Better to be safe.

Any insight or experience with this kind of hybrid cloud/on-prem ISE setup would be greatly appreciated!
I can't say I have done any cloud ISE deployments before. My biggest concern would be the $$$ bill at the end of the day. I'd love to know from someone who has run this for 5 years and then added up the cost - and compare it to an on-prem solution.