Are you wondering how AWS SSM (Systems Manager) agent communicates with System Manager Service in a restricted environment? According to AWS, the process involves several steps. First, the SSM agent calls the instance metadata service to obtain information such as the AWS region. Then, it attempts to resolve the API endpoint using private DNS. The private DNS resolves the API domain to the private IP address of the VPC interface endpoint's ENI. Next, the EC2 instance sends an API request to the private IP address of the VPC interface endpoint's ENI. The VPC interface endpoint forwards the request over AWS PrivateLink to the AWS SSM service. Finally, the AWS Systems Manager processes the API request and responds via PrivateLink back to the VPC interface endpoint.

Source: https://dev.to/nanditechbytes/how-aws-ssm-agent-communicates-with-using--1a0g