Can you clarify your question some? I’m not sure exactly what you are trying to achieve, either secure time for your servers, or some clients? How many machines are we talking about? 2, 20, 200, 2000?
Depending on your hosting company, many of the larger ones (like Amazon for instance) offer in-house NTP servers for their customers to sync to if you don’t want to use the pool servers.
If your hosting company doesn’t offer that, and all you want to do is sync some of your servers then setting the various pool servers in your ntp.conf file (or whatever program you are using) should be sufficient. Note that if you are using a current version of NTP (and I believe Chrony) you can use the ‘pool’ directive instead of ‘server’.
If you aren’t going to be serving time from these servers, then leave port 123 closed on your firewall (assuming you have a stateful firewall). Then there is no issue with someone trying to attack / abuse NTP on your servers. If you are going to be serving time from these servers, then there’s a few different ways to go about it.
If it’s time to anyone / everyone, then obviously you would need to open port 123 on your firewall, but you would need at minimum a line in your configuration that looks like:
restrict default kod limited nomodify notrap nopeer noquery
restrict -6 default kod limited nomodify notrap nopeer noquery
If you know the source IPs of the clients, you can always configure the firewall to only allow those to pass on port 123. Alternately you can specify in your ntp.conf similarly to only respond to those clients with time and ignore everyone else.
If you don’t know the source IPs of the clients and don’t want just anyone to query your NTP server, then you can setup authentication / encryption, so only authorized clients will be responded to.