Security group for AWS NTP Server

Asked 8/3, 2016 at 4:48 Answered 9/9, 2019 at 14:10

Solved amazon-web-services amazon-ec2 ntp aws-security-group

I just try to synchronize time with NTP-Server on EC2 instances:

server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

Unfortunately, I couldn't sync with NTP-Server. My question is:

Should we have to open ports in security group to allow NTP-Server connect to EC2 instances ?
If yes, then how can we know which IP is amazon.pool.ntp.org (it's changing over time) and we cannot open All Traffics

Thanks in advance,
Toan Dao

Niall answered 8/3, 2016 at 4:48 Comment(0)

You need to allow outbound traffic to 0.0.0.0/0 on port 123 on your security group for NTP to work.

If your EC2 instance is in a public subnet, then you only need to allow this on your security group.

But if your EC2 instance is in a private subnet, then you need to allow inbound and outbound traffic on port 123 for your NAT to pass the requests and responses. Inbound is required from your EC2 instance (not the world).

Carlitacarlo answered 8/3, 2016 at 5:26 Comment(3)

No need to open inbound/129 on NAT. – Arabian 8/3, 2016 at 5:54

Thanks @Matt Houser, I think it should be port 123. It worked for me – Niall 8/3, 2016 at 9:26

Corrected port to 123. Your NAT does require incoming from the instance (not the world) otherwise the NAT will reject the requests coming from the EC2 instance. – Carlitacarlo 8/3, 2016 at 17:28

According to AWS's Document

Network Time Protocol (NTP) is configured by default on Amazon Linux instances; however, an instance needs access to the Internet for the standard NTP configuration to work. Your instance's security group must also allow outbound UDP traffic on port 123 (NTP)
source: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html

So we need to allow outbound traffic to 0.0.0.0/0 on port 123 on security group for NTP to work

Niall answered 8/3, 2016 at 9:31 Comment(0)

For anyone visiting more recently, AWS have their own time servers now: https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/ (and also just to re-iterate: you do need time sync on AWS VMs, otherwise they'll drift a noticeable amount after a couple of months).

To use them, you need to configure your NTP server (ntpd or chronyd) to use server 169.254.169.123. This magic IP is within AWS, so doesn't go out of the VPC or onto the Internet. As per @Rolo787's comment, no Security Group changes are needed as it's "link local" (see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html).

Just to note, it's usual to include multiple servers and let your client work out the time from all of them. In the AWS case, even though it's only a single IP, you're talking to multiple servers and as such don't specifically need to use multiple IPs. If you're allowed to use Internet NTP servers as well as the AWS one, then there's no harm in configuring multiple, perhaps with a prefer option on the AWS one.

Yaelyager answered 9/9, 2019 at 14:10 Comment(1)

There is no need to open 123 UDP outbound since this is a link local address. – Loeb 21/6, 2022 at 15:59

-3

No need to open up inbound traffic for NTP, only outbound access is needed. As long as your instance can reach the internet, the ntp pool address can be resolved.

So open your outbound address/ports and make sure your instance can reach the internet directly or through NAT or through some other means.

Arabian answered 8/3, 2016 at 4:53 Comment(1)

This is not right. AWS will drop the response packets from the NTP server (or any server BTW), unless the corresponding communication port is open in the Inbound ruleset. For NTP responses to reach your Ubuntu client, simply open port 1024-65535 udp in the Inbound tab. Reminder: a communication can only take place if the sender receives a response... – Gawlas 23/10, 2019 at 2:2

Recommended topics

Hot tags