[VMC on AWS] Use Amazon Time Sync Service as an NTP server for compute workloads within VMC SDDC
search cancel

[VMC on AWS] Use Amazon Time Sync Service as an NTP server for compute workloads within VMC SDDC


Article ID: 329764


Updated On:


VMware Cloud on AWS


This article provides the steps, to use Amazon Time Sync Service as an NTP source, to sync time for your workload VMs, within the VMC SDDC.
This is ideal for use cases wherein customer has blocked internet access for VMs within the SDDC or want to reduce outbound traffic from the SDDC.
The Amazon Time Sync Service provides a highly accurate and reliable time reference that is natively accessible from the VMC SDDC.
There is no additional charge for using this service and customers can use standard Network Time Protocol (NTP) clients in their instances to access the service without needing any major updates to their SDDC configurations.


In this article, we will be configuring a Linux VM running as a compute workload within the VMC SDDC.

Pre Req: Add a Firewall rule in your Compute Gateway which allows NTP traffic to
Sample Rule:
Source: Compute Workload VM/Segment
Services: NTP (UDP:123)
Applied To: Internet Interface or Direct Connect Interface (i.e.The interface where the default route is pointing - if it is not advertised over a direct connect, it will be the Internet Interface.). In this example, we do not have a DX connection to SDDC, so the rule is applied to the Internet Interface.
Note: If you have a default route advertised over a VPN, then you wouldn't be able to use the native Amazon Time Sync Service

To configure your instance to use the Amazon Time Sync Service

a) Connect to your instance and uninstall the NTP service.
sudo yum erase 'ntp*'
b)  Install the chrony package
sudo yum install chrony
c) Open the /etc/chrony.conf file using a text editor (such as vim or nano). Add the following line to the file:
server prefer iburst minpoll 4 maxpoll 4
Note: If the line is present, then the Amazon Time Sync Service is already configured and you can go to the next step. If not, add the line after any other server or pool statements that are already present in the file, and save your changes.
d) Restart the chrony daemon (chronyd).
sudo service chronyd restart
e) Use the chkconfig command to configure chronyd to start at each system boot
sudo chkconfig chronyd on
f) Verify that chrony is using the IP address to synchronize the time.
chronyc sources -v
In the output that's returned, ^* indicates the preferred time source.
If you notice a '?' symbol against, please follow next steps (g)
g) The symbol '?' signifies that your instance is unable to reach the NTP Service at
Some instances are unable to natively route to a 169.254.X.X address. To fix this, you would need to add a static route on your instance for pointing to the default gateway of the VM.
In this example, it would look like this: ip route add via dev eth0
Once this static route is added, ensure the local firewall on the VM and the compute gateway firewall allows NTP traffic to pass.
Note: You can skip this step if you don't see a '?' symbol against
h) Verify the time synchronization metrics that are reported by chrony.
chronyc tracking

Additional Information

Introducing the Amazon Time Sync Service

Setting the Time for a Windows Instance

Setting the Time for Your Linux Instance