DEV Community

Cover image for Where Do Your AWS Network Rules Actually Live?
Md Tanvir Rahman
Md Tanvir Rahman

Posted on

Where Do Your AWS Network Rules Actually Live?

#aws #onpremises #networking #architecture

After spending years climbing into server racks, cabling switches, and staring at Cisco IOS prompts, the first time I opened the AWS console felt oddly disorienting.
Everything I knew was still there — subnets, routing tables, firewall rules — but the physical devices had completely vanished. No chassis to open. No cable to trace. Just a browser tab. So I went digging. And what I found changed how I think about networking entirely.

AWS did not reinvent networking. It took every concept we already know and rebuilt it as distributed software — invisible to us, managed entirely by Amazon, running across thousands of physical servers.

Let me show you exactly what that means.

Same Concepts, Different World

In an on-premises environment, the path from the edge router to a client's server runs through a private internal network — thousands of L2/L3 Switches, Next-Gen Firewalls, Load Balancers. We group them by service or client type, rack the devices, cable everything, SSH in, and configure VLANs, routing protocols, ACLs, and firewall policies directly on each device. We have full physical access & control.

Internal-Network

Inside AWS, the physical hardware still exists. There is a massive private internal network fabric connecting Amazon's datacenters — they call it the AWS Backbone. And every concept you know from on-prem has a direct AWS equivalent. The terminology shifts slightly, but the logic is identical. A route table is still a route table. A firewall rule is still a firewall rule. Also —

comparison

But here is where most network engineers hit a wall. If the concepts are the same, then:

  • On-prem physical router == AWS's physical router?
  • On-prem physical firewall == AWS's physical firewall?
  • Are we somehow reaching their internal devices from the public internet?

AWS says everything lives in a private network — so how does any of this work?
The answer flips everything you expect on its head.

Your Rules Don't Live Where You Think

On-premises, a network engineer touches everything — from the edge router all the way down to the Top of Rack (ToR) switch — for any configuration task. In AWS, it is the complete opposite.

No physical router, firewall, or switch inside the AWS datacenter holds your configuration. Not a single one.

Instead, every networking rule you apply through the AWS console or CLI — your Security Groups, your Route Tables, your VPC settings — is picked up and enforced by something running directly on the physical server where your EC2 instance lives. That something is the AWS Nitro Hypervisor.

Think of it this way➝ in on-prem, your rules live in the network. In AWS, your rules live in the server. Right there on the same physical machine as your VM, before any packet can reach it.

This is the key insight that unlocks everything else.

Nitro Hypervisor — The Real Game changer

To understand why Nitro matters, you first need to see the problem with traditional hypervisors.

In on-premises environments, hypervisors like VMware ESXi or Microsoft Hyper-V run as a software layer on the main CPU. They manage VMs, networking, storage, and security — but they do all of it by competing with your VMs for the same CPU and RAM. Every packet your VM sends, every disk write it makes, the hypervisor jumps in on the main CPU to process it. Under heavy load, that overhead can silently consume 10–30% of compute resources.

AWS looked at this problem at the scale of millions of EC2 instances and asked a simple but radical question:

What if we moved every hypervisor function completely off the main CPU?

The answer was Nitro — three dedicated hardware chips (ASICs), each responsible for one job and one job only.

nitro hypervisor

  1. Nitro Network Card : Handles Security Groups, VPC routing, NAT translation, packet filtering, and VPC traffic isolation.

  2. Nitro Storage Card : Handles EBS volume I/O, NVMe processing, AES-256 encryption, compression, and snapshot management.

  3. Nitro Security Chip : Enforces hardware-level isolation, secure boot, encryption key management at the hardware level. This chip is why AWS can make announcement loudly that even their own employees cannot access your VM. It is not a policy — it is physically impossible at the hardware level.

※ The result : your EC2 instance gets nearly 100% of the physical CPU and RAM. The hypervisor's resource utilization drops to almost zero. That is why AWS EC2 on Nitro performs close to bare-metal speeds — because there is barely any hypervisor overhead left to subtract.

But There Are Thousands of EC2s on One Server — How Does Nitro Know Which Rules Are Yours?

This is the question that always comes next, and it is a good one.

A single physical server inside an AWS datacenter can run EC2 instances belonging to dozens of different customers. When a packet arrives at the physical NIC, the Nitro card needs to know instantly : whose packet is this, and which rules apply to it?

The Answer — Everything has a unique ID. When you create ANYTHING in AWS, it gets a unique identifier burned into it. Like ——

Your EC2              → i-0a1b2c3d4e5f
Your VPC              → vpc-0a1b2c3d4e5f
Your Subnet           → subnet-0a1b2c3d4e5f
Your Route Table      → rtb-0a1b2c3d4e5f
Your Security Group   → sg-0a1b2c3d4e5f
Your ENI              → eni-0a1b2c3d4e5f
Enter fullscreen mode Exit fullscreen mode

These IDs form a chain of ownership stored in AWS's central SDN controller database. When your EC2 launches on a physical server, the SDN controller pushes your complete rule set — Security Groups, Route Tables, VPC boundaries — directly into the Nitro card's dedicated memory on that server. But the real-time traffic matching happens through something more fundamental : the ENI and its MAC address.

Every EC2 instance has an Elastic Network Interface (ENI) — think of it as its virtual NIC. The ENI carries everything: private IP, public IP, Security Group assignment, subnet, VPC, and a unique MAC address.

Here is what happens the moment a packet arrives:

  1. The packet hits the physical NIC carrying a destination MAC address inside its Layer 2 frame.
  2. The Nitro card reads that MAC address and looks it up in its internal ENI table.
  3. It instantly knows: this MAC belongs to ENI eni-abc123, which belongs to Customer A's VPC, protected by Security Group sg-xxx, routed by Route Table rtb-xxx.
  4. It applies those rules in hardware — in nanoseconds — and either delivers the packet to the right EC2 or drops it. Traffic Flow

Two customers can even share the same private IP address (say, 10.0.1.5) on the same physical server — because the VPC ID in the ENI chain keeps them completely isolated. The Nitro card never confuses them. It is not working from IP alone; it is working from the full ownership chain burned into its memory.
Traffic Distinguish

So What Does This Actually Mean for You?

If you have spent years in on-prem networking, here is the mental model that ties everything together —

  • In on-premises, your rules live in the network — in the router, in the firewall, in the switch ACL. Traffic hits those devices and gets filtered there.

  • In AWS, your rules live in the server — in the Nitro card's dedicated memory, enforced before any packet reaches your VM. There is no physical firewall in the path. There is no router to SSH into. The entire network policy is distributed to every physical server that runs your workloads. That is not a limitation. That is the design.

Top comments (0)