jgallagher
commented
2 weeks ago I think the current implementation is slightly worse than the issue describes. During preflight uplink, the IP making the request will be one of the uplink addresses provided at RSS time, which is not part of the service IP pool at all.
If firewall rules are opened up only for the service pool IP that attempted to make an NTP query during preflight, it's very likely that the boundary NTP zones will come up with different IPs and fail to make connectivity. Preflight could check that several or all of the IPs in the service pool have the ability to reach NTP servers.