Set the time reference on your EC2 instance to use the local Amazon Time Sync Service - Amazon Elastic Compute Cloud
Connect to the IPv4 endpoint of the Amazon Time Sync ServiceConnect to the IPv6 endpoint of the Amazon Time Sync ServiceConnect to the PTP hardware clock

Set the time reference on your EC2 instance to use the local Amazon Time Sync Service

The local Amazon Time Sync Service either uses the Network Time Protocol (NTP), or provides a local Precision Time Protocol (PTP) hardware clock on supported instances. The PTP hardware clock supports either an NTP connection (Linux and Windows instances), or a direct PTP connection (Linux instances only). The NTP and direct PTP connections use the same highly accurate time source, but the direct PTP connection is more accurate than the NTP connection. The NTP connection to the Amazon Time Sync Service supports leap smearing while the PTP connection to the PTP hardware clock does not smear time. For more information, see Leap seconds.

Your instances can access the local Amazon Time Sync Service as follows:

  • Through NTP at the following IP address endpoints:

  • (Linux only) Through a direct PTP connection to connect to a local PTP hardware clock:

    • PHC0

Amazon Linux AMIs, Windows AMIs, and most partner AMIs configure your instance to use the NTP IPv4 endpoint by default. This is the recommended setting for most customer workloads. No further configuration is required for instances launched from these AMIs unless you want to use the IPv6 endpoint or connect directly to the PTP hardware clock.

NTP and PTP connections do not require any VPC configuration changes, and your instance does not require access to the internet.

Note

Connect to the IPv4 endpoint of the Amazon Time Sync Service

This section describes how to configure your instance to use the local Amazon Time Sync Service through the IPv4 endpoint.

Use the instructions for your instance's operating system.

AL2023 and the latest versions of Amazon Linux 2 and Amazon Linux AMIs are configured to use the Amazon Time Sync Service IPv4 endpoint by default. No further configuration is required for instances launched from these AMIs and you can skip the following procedure.

If you're using an AMI that doesn't have the Amazon Time Sync Service configured by default, use one of the following procedures to configure the Amazon Time Sync Service on your instance using the chrony client. It requires adding a server entry for the Amazon Time Sync Service to the chrony configuration file.

Use the instructions for your instance's operating system.

Amazon Linux
To connect to the IPv4 endpoint of the Amazon Time Sync Service on Amazon Linux using chrony

  1. Connect to your instance and uninstall the NTP service.

    [ec2-user ~]$ sudo yum erase 'ntp*'

  2. Install the chrony package.

    [ec2-user ~]$ sudo yum install chrony

  3. Open the /etc/chrony.conf file using a text editor (such as vim or nano). Verify that the file includes the following line:

    server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4

    If the line is present, then the Amazon Time Sync Service is already configured to use the IPv4 endpoint of the Amazon Time Sync Service and you can go to the next step. If not, add the line after any other server or pool statements that are already present in the file, and save your changes.

  4. Restart the chrony daemon (chronyd).

    [ec2-user ~]$ sudo service chronyd restart
    Starting chronyd:                                          [  OK  ]
    Note

    On RHEL and CentOS (up to version 6), the service name is chrony instead of chronyd.

  5. To configure chronyd to start at each system boot, use the chkconfig command.

    [ec2-user ~]$ sudo chkconfig chronyd on

  6. Verify that chrony is using the 169.254.169.123 IPv4 endpoint to synchronize the time.

    [ec2-user ~]$ chronyc sources -v
    210 Number of sources = 7
        
          .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
         / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
        | /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
        ||                                                 .- xxxx [ yyyy ] +/- zzzz
        ||      Reachability register (octal) -.           |  xxxx = adjusted offset,
        ||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
        ||                                \     |          |  zzzz = estimated error.
        ||                                 |    |           \
        MS Name/IP address         Stratum Poll Reach LastRx Last sample               
        ===============================================================================
        ^* 169.254.169.123               3   6    17    43    -30us[ -226us] +/-  287us
        ^- ec2-12-34-231-12.eu-west>     2   6    17    43   -388us[ -388us] +/-   11ms
        ^- tshirt.heanet.ie              1   6    17    44   +178us[  +25us] +/- 1959us
        ^? tbag.heanet.ie                0   6     0     -     +0ns[   +0ns] +/-    0ns
        ^? bray.walcz.net                0   6     0     -     +0ns[   +0ns] +/-    0ns
        ^? 2a05:d018:c43:e312:ce77:>     0   6     0     -     +0ns[   +0ns] +/-    0ns
        ^? 2a05:d018:dab:2701:b70:b>     0   6     0     -     +0ns[   +0ns] +/-    0ns

    In the output that's returned, ^* indicates the preferred time source.

  7. Verify the time synchronization metrics that are reported by chrony.

    [ec2-user ~]$ chronyc tracking
    Reference ID    : A9FEA97B (169.254.169.123)
        Stratum         : 4
        Ref time (UTC)  : Wed Nov 22 13:18:34 2017
        System time     : 0.000000626 seconds slow of NTP time
        Last offset     : +0.002852759 seconds
        RMS offset      : 0.002852759 seconds
        Frequency       : 1.187 ppm fast
        Residual freq   : +0.020 ppm
        Skew            : 24.388 ppm
        Root delay      : 0.000504752 seconds
        Root dispersion : 0.001112565 seconds
        Update interval : 64.4 seconds
        Leap status     : Normal
Ubuntu
To connect to the IPv4 endpoint of the Amazon Time Sync Service on Ubuntu using chrony

  1. Connect to your instance and use apt to install the chrony package.

    ubuntu:~$ sudo apt install chrony
    Note

    If necessary, update your instance first by running sudo apt update.

  2. Open the /etc/chrony/chrony.conf file using a text editor (such as vim or nano). Add the following line before any other server or pool statements that are already present in the file, and save your changes:

    server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4

  3. Restart the chrony service.

    ubuntu:~$ sudo /etc/init.d/chrony restart
    Restarting chrony (via systemctl): chrony.service.

  4. Verify that chrony is using the 169.254.169.123 IPv4 endpoint to synchronize the time.

    ubuntu:~$ chronyc sources -v
    210 Number of sources = 7
            
              .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
             / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
            | /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
            ||                                                 .- xxxx [ yyyy ] +/- zzzz
            ||      Reachability register (octal) -.           |  xxxx = adjusted offset,
            ||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
            ||                                \     |          |  zzzz = estimated error.
            ||                                 |    |           \
            MS Name/IP address         Stratum Poll Reach LastRx Last sample
            ===============================================================================
            ^* 169.254.169.123               3   6    17    12    +15us[  +57us] +/-  320us
            ^- tbag.heanet.ie                1   6    17    13  -3488us[-3446us] +/- 1779us
            ^- ec2-12-34-231-12.eu-west-     2   6    17    13   +893us[ +935us] +/- 7710us
            ^? 2a05:d018:c43:e312:ce77:6     0   6     0   10y     +0ns[   +0ns] +/-    0ns
            ^? 2a05:d018:d34:9000:d8c6:5     0   6     0   10y     +0ns[   +0ns] +/-    0ns
            ^? tshirt.heanet.ie              0   6     0   10y     +0ns[   +0ns] +/-    0ns
            ^? bray.walcz.net                0   6     0   10y     +0ns[   +0ns] +/-    0ns

    In the output that's returned, on the line starting with ^* indicates the preferred time source.

  5. Verify the time synchronization metrics that are reported by chrony.

    ubuntu:~$ chronyc tracking
    Reference ID    : 169.254.169.123 (169.254.169.123)
            Stratum         : 4
            Ref time (UTC)  : Wed Nov 29 07:41:57 2017
            System time     : 0.000000011 seconds slow of NTP time
            Last offset     : +0.000041659 seconds
            RMS offset      : 0.000041659 seconds
            Frequency       : 10.141 ppm slow
            Residual freq   : +7.557 ppm
            Skew            : 2.329 ppm
            Root delay      : 0.000544 seconds
            Root dispersion : 0.000631 seconds
            Update interval : 2.0 seconds
            Leap status     : Normal
SUSE Linux

Starting with SUSE Linux Enterprise Server 15, chrony is the default implementation of NTP.

To connect to IPv4 endpoint of the Amazon Time Sync Service on SUSE Linux using chrony

  1. Open the /etc/chrony.conf file using a text editor (such as vim or nano).

  2. Verify that the file contains the following line:

    server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4

    If this line is not present, add it.

  3. Comment out any other server or pool lines.

  4. Open yaST and enable the chrony service.

Starting with the August 2018 release, Windows AMIs use the Amazon Time Sync Service by default. No further configuration is required for instances launched from these AMIs and you can skip the following procedures.

If you're using an AMI that doesn't have the Amazon Time Sync Service configured by default, first verify your current NTP configuration. If your instance is already using the IPv4 endpoint of the Amazon Time Sync Service, no further configuration is required. If your instance is not using the Amazon Time Sync Service, then complete the procedure to change the NTP server to use the Amazon Time Sync Service.

To verify the NTP configuration

  1. From your instance, open a Command Prompt window.

  2. Get the current NTP configuration by typing the following command:

    w32tm /query /configuration

    This command returns the current configuration settings for the Windows instance and will show if you're connected to the Amazon Time Sync Service.

  3. (Optional) Get the status of the current configuration by typing the following command:

    w32tm /query /status

    This command returns information such as the last time the instance synced with the NTP server and the poll interval.

To change the NTP server to use the Amazon Time Sync Service

  1. From the Command Prompt window, run the following command:

    w32tm /config /manualpeerlist:169.254.169.123 /syncfromflags:manual /update

  2. Verify your new settings by using the following command:

    w32tm /query /configuration

    In the output that's returned, verify that NtpServer displays the 169.254.169.123 IPv4 endpoint.

Default network time protocol (NTP) settings for Amazon Windows AMIs

Amazon Machine Images (AMIs) generally adhere to the out-of-the-box defaults except in cases where changes are required to function on EC2 infrastructure. The following settings have been determined to work well in a virtual environment, as well as to keep any clock drift to within one second of accuracy:

  • Update Interval – Governs how frequently the time service will adjust system time towards accuracy. AWS configures the update interval to occur once every two minutes.

  • NTP Server – Starting with the August 2018 release, AMIs use the Amazon Time Sync Service by default. This time service is accessible from any AWS Region at the 169.254.169.123 IPv4 endpoint. Additionally, the 0x9 flag indicates that the time service is acting as a client, and to use SpecialPollInterval to determine how frequently to check in with the configured time server.

  • Type – "NTP" means that the service acts as a standalone NTP client instead of acting as part of a domain.

  • Enabled and InputProvider – The time service is enabled and provides time to the operating system.

  • Special Poll Interval – Checks against the configured NTP Server every 900 seconds (15 minutes).

Registry path Key name Data

HKLM:\System\CurrentControlSet\services\w32time\Config

UpdateInterval

120

HKLM:\System\CurrentControlSet\services\w32time\Parameters

NtpServer

169.254.169.123,0x9

HKLM:\System\CurrentControlSet\services\w32time\Parameters

Type

NTP

HKLM:\System\CurrentControlSet\services\w32time\TimeProviders\NtpClient

Enabled

1

HKLM:\System\CurrentControlSet\services\w32time\TimeProviders\NtpClient

InputProvider

1

HKLM:\System\CurrentControlSet\services\w32time\TimeProviders\NtpClient

SpecialPollInterval

900

Connect to the IPv6 endpoint of the Amazon Time Sync Service

This section explains how the steps described in Connect to the IPv4 endpoint of the Amazon Time Sync Service differ if you are configuring your instance to use the local Amazon Time Sync Service through the IPv6 endpoint. It doesn't explain the entire Amazon Time Sync Service configuration process.

The IPv6 endpoint is only accessible on Nitro-based instances.

Note

We don't recommend using both the IPv4 and IPv6 endpoint entries together. The IPv4 and IPv6 NTP packets come from the same local server for your instance. Configuring both IPv4 and IPv6 endpoints is unnecessary and will not improve the accuracy of the time on your instance.

Use the instructions for your instance's operating system.

Depending on the Linux distribution you're using, when you reach the step to edit the chrony.conf file, you'll be using the IPv6 endpoint of the Amazon Time Sync Service (fd00:ec2::123) rather than the IPv4 endpoint (169.254.169.123):

server fd00:ec2::123 prefer iburst minpoll 4 maxpoll 4

Save the file and verify that chrony is using the fd00:ec2::123 IPv6 endpoint to synchronize time: 

[ec2-user ~]$ chronyc sources -v

In the output, if you see the fd00:ec2::123 IPv6 endpoint, the configuration is complete.

When you reach the step to change the NTP server to use the Amazon Time Sync Service, you'll be using the IPv6 endpoint of the Amazon Time Sync Service (fd00:ec2::123) rather than the IPv4 endpoint (169.254.169.123):

w32tm /config /manualpeerlist:fd00:ec2::123 /syncfromflags:manual /update

Verify that your new settings are using the fd00:ec2::123 IPv6 endpoint to synchronize time:

w32tm /query /configuration

In the output, verify that NtpServer displays the fd00:ec2::123 IPv6 endpoint.

Connect to the PTP hardware clock

The PTP hardware clock is part of the AWS Nitro System, so it is directly accessible on supported bare metal and virtualized EC2 instances without using any customer resources.

The NTP endpoints for the PTP hardware clock are the same as those for the regular Amazon Time Sync Service. If your instance has a PTP hardware clock and you configured the NTP connection (to either the IPv4 or IPv6 endpoint), your instance time is automatically sourced from the PTP hardware clock over NTP.

For Linux instances, you can configure a direct PTP connection, which will give you more accurate time than the NTP connection. Windows instances only support an NTP connection to the PTP hardware clock.

Requirements

The PTP hardware clock is available on an instance when the following requirements are met:

  • Supported AWS Regions: US East (N. Virginia), US East (Ohio), Asia Pacific (Malaysia), Asia Pacific (Tokyo), and Europe (Stockholm)

  • Supported instance families:

    • General purpose: M7a, M7g, M7gd, M7i, M8g

    • Compute optimized: C7a, C7gd, C7i, C8g

    • Memory optimized: R7a, R7g, R7gd, R7i, R8g, X8g

  • (Linux only) ENA driver version 2.10.0 or later installed on a supported operating system. For more information about supported operating systems, see the driver prerequisites on GitHub.

This section describes how to configure your Linux instance to use the local Amazon Time Sync Service through the PTP hardware clock using a direct PTP connection. It requires adding a server entry for the PTP hardware clock in the chrony configuration file.

To configure a direct PTP connection to the PTP hardware clock (Linux instances only)

  1. Connect to your Linux instance and do the following:

    1. Install the Linux kernel driver for Elastic Network Adapter (ENA) version 2.10.0 or later.

    2. Enable the PTP hardware clock.

    For the installation instructions, see Linux kernel driver for Elastic Network Adapter (ENA) family on GitHub.

  2. Verify that the /dev/ptp0 device shows up on your instance.

    [ec2-user ~]$ ls /dev/ptp0

    The following is the expected output. If /dev/ptp0 is not in the output, the ENA driver was not correctly installed. Review step 1 in this procedure for installing the driver.

    /dev/ptp0

  3. Edit /etc/chrony.conf using a text editor and add the following line anywhere in the file.

    refclock PHC /dev/ptp0 poll 0 delay 0.000010 prefer

  4. Restart chrony.

    [ec2-user ~]$ sudo systemctl restart chronyd

  5. Verify that chrony is using the PTP hardware clock to synchronize the time on this instance.

    [ec2-user ~]$ chronyc sources

    Expected output

    MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
#* PHC0                          0   0    377    1   +2ns[ +1ns] +/-   5031ns

    In the output that's returned, * indicates the preferred time source. PHC0 corresponds to the PTP hardware clock. You might need to wait a few seconds after restarting chrony for the asterisk to appear.