Nitro Cards


Start course

This course explores the AWS Nitro System, covering the basics of the service, its core components, and its benefits.

Learning Objectives

  • Learn what the AWS Nitro system is
  • Understand the key components that make up the AWS Nitro system
  • Understand the difference between the Nitro cards of an EC2 instance
  • Explore the benefits of the AWS Nitro System

Intended Audience

This course is intended for those who are looking to learn more about the underlying architecture of EC2 instances at the virtualization level.


As a prerequisite to this course, you should be familiar with virtualization methods and concepts, including components such as hypervisors, in addition to an understanding of computing hardware and terms. 


These cards are used to perform specific tasks on the underlying host, of which there are 4 different Nitro cards. 

We have the:

  1. VPC Networking Nitro card
  2. EBS Nitro Card
  3. Instance Storage Nitro card
  4. Nitro Card controller, or systems controller card

Let me expand upon on what each of these cards are responsible for, starting with the VPC Networking Nitro card.

This card has been designed and purpose-built to handle traffic relating to VPC Networking requests.  It uses an Elastic Network Adapter (ENA) card, which provides enhanced networking capabilities, and comes with driver support for all of the major operating systems issued by AWS to ensure compatibility with your instance choice.  

This Nitro card is also responsible for the VPC data plane, which is effectively the component that processes networking requests, and allows your instances to talk to other instances in your VPC.  As a result, any requests the host receives relating to network encapsulation, security groups, routing and also network limiting which helps to maintain the same consistent performance experience, its all handled by the data plane of the VPC Nitro card.  

Next up with have the EBS Nitro Card to help you connect to block storage. This has been built using a Non-Volatile Memory express (NVMe) controller, which allows your virtual instances to communicate with your persistence storage layer when working with the Elastic Block Store service.  Your EC2 instances communicate with the NVMe controller via a Peripheral Component Interconnect Express (PCIe) bus, providing low latency and high data transfer rates.  

As with the VPC Nitro card, this EBS card also has a data plane that is responsible for supporting data encryption on the volumes.

The next card is the Instance Storage Nitro card, as you may have expected, this is also managed by an NVMe controller and focused on the instance storage.  With the introduction of NVMe, the speeds of local instance storage can now exceed that of networking performance, and so local storage is now attractive for many different workloads that do not require data persistence. 

The data plane of this nitro card is responsible for drive monitoring.  This is important, as over time, with the more write and erase operations that occur, the NAND, which is a type of non-volatile flash memory, will eventually experience more and more degradation and if left long enough, the drive might no longer be capable of reading and writing data.   Through drive monitoring, you can be notified when this degradation occurs allowing you to take corrective action. 

The final card I want to talk about is the Nitro Card controller, or system controller card, and this is effectively the Nitro card that is the one that glues all the other cards together. 

This is critical for the entire AWS Nitro system, it’s the brain of Nitro and as such, it has a number of different responsibilities and tasks.  

First and foremost, it helps to coordinate communications between all of the other Nitro cards, so the VPC card, the EBS card, and the Instance storage card.  It also communicates with the Nitro Hypervisor, and also with the Nitro Security Chip to implement a Hardware Root of Trust.  This enables AWS to cryptographically both measure and validate the host system ensuring there is a secure boot process.

About the Author
Stuart Scott
AWS Content Director
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.