Certain embodiments described herein are generally directed to checking packets at a hardware tunnel endpoint. In some embodiments, an encapsulated packet is received at a hardware tunnel endpoint. It is determined if an inner source media access control (MAC) address is associated with an outer source internet protocol (IP) address of the encapsulated packet based on a mapping of MAC addresses of virtual computing instances to IP addresses of tunnel endpoints stored at the hardware tunnel endpoint. If it is determined the inner source MAC address is not associated with the outer source IP address, the packet is dropped.