Picture 1 E1768509620339

Time in a VMC Environment

ByJames📖4 min read(738 words)
📅Published: Updated:

VMware Cloud on AWS time sync NTP is managed automatically using the Amazon Time Sync Service, removing one of the traditional infrastructure concerns when running workloads in VMC. This post covers how it works and how to configure the NSX-T firewall rules needed for guest VMs to access the time sync endpoint.

One of the nice things about the VMC Service is that you dont have to worry about a number of the traditional infrastructure services that you typically obsess over when your running your own infrastructure. One of those is Time — a key requirement for any enterprise platform.

What is the Amazon Time Sync Service?

The Amazon Time Sync Service is a highly accurate and reliable time source provided by AWS. It uses a fleet of redundant satellite-connected and atomic reference clocks to deliver Coordinated Universal Time (UTC) to AWS services and resources. In a VMware Cloud on AWS environment, the VMC infrastructure itself uses this service, and guest workloads can also be configured to use it directly.

The service is accessible at the link-local IP address 169.254.169.123 over UDP port 123. This is the same address used by standard EC2 instances and is always available within the AWS network — no internet access required.

Time

VMC allows you to utilise the Amazon Time Sync Service for keeping an accurate and precise time. Because VMware Cloud on AWS is a fully managed service, the ESXi hosts are already configured to synchronise time correctly. However, for guest VMs running inside the VMC environment, you will want to ensure they are also pointed at a reliable time source rather than relying on VMware Tools time sync alone.

For Windows VMs, configure the NTP server using the Windows Time Service (w32tm). For Linux VMs, update your chrony or ntpd configuration to point to 169.254.169.123. This provides a consistent, low-latency time source that stays local to the AWS infrastructure rather than traversing your network back to an on-premises NTP server.

Firewall Config

To utilise the Amazon Time Sync Service from a VMC guest perspective, the appropriate NSX-T firewall rules need to be in place. On the Compute Gateway, you need to allow UDP port 123 outbound to 169.254.169.123.

The IP address 169.254.169.123 is part of the link-local address range 169.254.0.0/16. It is worth noting that .123 was deliberately chosen to match the NTP port number — a neat detail from the AWS team.

To create the rule: in the VMC Console navigate to Networking & Security → Gateway Firewall → Compute Gateway. Add a rule allowing UDP port 123 from your VM segment to destination 169.254.169.123. Without this rule, guest VMs will be blocked from reaching the time sync endpoint.

Troubleshooting

If time sync is not working for your guest VMs in VMware Cloud on AWS, check the following:

  • Verify the Compute Gateway firewall rule allows UDP 123 to 169.254.169.123
  • Confirm the NTP client service is running inside the guest VM
  • Check that the guest OS NTP configuration points to 169.254.169.123
  • If using a Route-based VPN with the default route on-premises, the link-local address will not be reachable over the VPN — use an alternative NTP server in that configuration

Summary

VMware Cloud on AWS takes care of many traditional infrastructure concerns for you, and time sync is a great example. By leveraging the Amazon Time Sync Service at 169.254.169.123, you get a highly accurate, low-latency NTP source that is always available within the AWS network without any complex configuration. The only requirement on your part is ensuring the correct NSX-T Compute Gateway firewall rule is in place to allow UDP port 123 from your guest VMs to reach that link-local address. Once that is done, your workloads will have reliable, accurate time — one less thing to worry about in your VMC environment.

Summary

VMware Cloud on AWS takes care of many traditional infrastructure concerns for you, and time sync is a great example. By leveraging the Amazon Time Sync Service at 169.254.169.123, you get a highly accurate, low-latency NTP source that is always available within the AWS network without any complex configuration. The only requirement on your part is ensuring the correct NSX-T Compute Gateway firewall rule is in place to allow UDP port 123 from your guest VMs to reach that link-local address. Once that is done, your workloads will have reliable, accurate time — one less thing to worry about in your VMC environment.

Similar Posts