How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?

I'm trying to establish a site-to-site VPN connection between my Azure VNet and an on-premises network. The company I'm connecting with only accepts one private IP address from me to add to their traffic selectors configuration.

In the image below, I have two VMs that need to communicate with the on-premises services through the VPN gateway. Given the limitation of a single IP address, what would be the best way to set this up? Should I use the VPN Gateway's private IP address and add it to the traffic selectors?

Here are the details:

Azure VNet: Configured with two VMs that need to communicate. On-premises VNet: Accepts only one private IP to configure for traffic selectors. How can I make this setup work with just one private IP, and is using the VPN Gateway's private IP address a valid approach?

Any help or suggestions would be greatly appreciated!

How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?

If you want to use a single IP address for on-premises connectivity, you can use Dynamic NAT on Azure VPN Gateway. This will route traffic to the on-premises network using a single IP address within the private network.

When dynamic NAT rules are used in,Azure VPN Gateway the traffic is unidirectional, which means that communication must be initiated from the site that is represented in the internal mapping field of the rule. If traffic is initiated from the external mapping, the connection will not be established.

If you require bidirectional communication, then you can use a static NAT rule to define a 1:1 mapping.

Note: static NAT would have a wider Address range

Reference: How can I configure NAT on my VM subnets to route traffic through a single allowed IP address for accessing the client's system via the Site-to-Site VPN? by KapilAnanth-MSFT

NAT mode: ingress & egress