(Noob Question) Possible to port forward over IPSec tunnel?

[KingSteve032]

I have OPNsense up in Azure that is acting like a IPsec hub for the rest of my sites which also use OPNsense. With Azure I have a public facing IP address that can open ports up to but my other sites have CGNAT IP addresses so opening ports up is pretty useless. Is it possible open a port up on the Azure side to a device on the other side of the IPsec tunnel?

So site A has a subnet of 10.0.0.0/24 and the host I need to forward a port for is on Site B which is 10.1.0.0/24
Doing some googling I found this post https://forum.opnsense.org/index.php?topic=18579.msg84697#msg84697 that seems to be asking the same thing as me and it says I need to add the destination network to the Manual SPD entries of the phase 2 tunnel. I'm guessing I would add site As to site Bs entries and vice versa.

Thank you to anyone that can help me!