We are seeing extensive clock drift on our EC2 instances, to the point where various services are being affected. Elastic Beanstalk eventually rules long-running instances as unhealthy, citing clock drift and lack of NTP syncing. Why is this happening?
Asked
Active
Viewed 817 times
1
-
Have a look at [this question](https://stackoverflow.com/q/29418250/3788685) and [my answer](https://stackoverflow.com/a/29498602/3788685) should help you out, give you an idea what to look & check for. – user3788685 Aug 15 '17 at 16:32
1 Answers
3
Related reading:
[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html#configure_ntp
[2] http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc.html "Ensure that your VPC security groups and network ACLs allow outbound UDP traffic on port 123 to avoid these issues."
Despite what the docs say, if you are locking down your inbound ACL, there is one more step. While the AWS security groups are stateful (that is, an allowed outbound connection on a given port, will also be allowed back in, without explicitly allowing said port on the inbound rules), the ACLs are not stateful. This means that if you lock down your ACLs on the inbound, you must also allow inbound UDP connections on port 123.
You can edit the /etc/ntp.conf file, and use NIST IP addresses from http://tf.nist.gov/tf-cgi/servers.cgi, instead of DNS names. Then in your ACL, you can lock down the inbound UDP rules to these IP addresses (for example: 216.229.0.179/32).
That should do it.
vcardillo
- 1,646
- 3
- 24
- 29