Add new 2025-05-01-preview API version to Microsoft.Cdn for mTLS and Deployment Versions Public Preview

[jessicl-ms]

ARM (Control Plane) API Specification Update Pull Request

Tip

Overwhelmed by all this guidance? See the Getting help section at the bottom of this PR description.

PR review workflow diagram

Please understand this diagram before proceeding. It explains how to get your PR approved & merged.

Purpose of this PR

What's the purpose of this PR? Check the specific option that applies. This is mandatory!

Cherry-picked public preview features mTLS and Deployment Versions from PR in private repo https://github.com/Azure/azure-rest-api-specs-pr/pull/22280, which has already received ARMSignedOff.

• New resource provider.
• New API version for an existing resource provider. (If API spec is not defined in TypeSpec, the PR should have been created in adherence to OpenAPI specs PR creation guidance).
• Update existing version for a new feature. (This is applicable only when you are revising a private preview API version.)
• Update existing version to fix OpenAPI spec quality issues in S360.
• Convert existing OpenAPI spec to TypeSpec spec (do not combine this with implementing changes for a new API version).
• Other, please clarify:
  • edit this with your clarification

Due diligence checklist

To merge this PR, you must go through the following checklist and confirm you understood
and followed the instructions by checking all the boxes:

• I confirm this PR is modifying Azure Resource Manager (ARM) related specifications, and not data plane related specifications.
• I have reviewed following Resource Provider guidelines, including
  ARM resource provider contract and
  REST guidelines (estimated time: 4 hours).
  I understand this is required before I can proceed to the diagram Step 2, "ARM API changes review", for this PR.
• A release plan has been created. If not, please create one as it will help guide you through the REST API and SDK creation process.

Additional information

Viewing API changes

For convenient view of the API changes made by this PR, refer to the URLs provided in the table
in the Generated ApiView comment added to this PR. You can use ApiView to show API versions diff.

Suppressing failures

If one or multiple validation error/warning suppression(s) is detected in your PR, please follow the
suppressions guide to get approval.

Getting help

• First, please carefully read through this PR description, from top to bottom. Please fill out the Purpose of this PR and Due diligence checklist.
• If you don't have permissions to remove or add labels to the PR, request write access per aka.ms/azsdk/access#request-access-to-rest-api-or-sdk-repositories
• To understand what you must do next to merge this PR, see the Next Steps to Merge comment. It will appear within few minutes of submitting this PR and will continue to be up-to-date with current PR state.
• For guidance on fixing this PR CI check failures, see the hyperlinks provided in given failure
  and https://aka.ms/ci-fix.
• For help with ARM review (PR workflow diagram Step 2), see https://aka.ms/azsdk/pr-arm-review.
• If the PR CI checks appear to be stuck in queued state, please add a comment with contents /azp run.
  This should result in a new comment denoting a PR validation pipeline has started and the checks should be updated after few minutes.
• If the help provided by the previous points is not enough, post to https://aka.ms/azsdk/support/specreview-channel and link to this PR.
• For guidance on SDK breaking change review, refer to https://aka.ms/ci-fix.

[openapi-pipeline-app]

Next Steps to Merge

Next steps that must be taken to merge this PR:

• ❌ This PR targets either the main branch of the public specs repo or the RPSaaSMaster branch of the private specs repo. These branches are not intended for iterative development. Therefore, you must acknowledge you understand that after this PR is merged, the APIs are considered shipped to Azure customers. Any further attempts at in-place modifications to the APIs will be subject to Azure's versioning and breaking change policies. Additionally, for control plane APIs, you must acknowledge that you are following all the best practices documented by ARM at aka.ms/armapibestpractices. If you do intend to release the APIs to your customers by merging this PR, add the PublishToCustomers label to your PR in acknowledgement of the above. Otherwise, retarget this PR onto a feature branch, i.e. with prefix release- (see aka.ms/azsdk/api-versions#release--branches).
• ❌ This PR is in purview of the ARM review (label: ARMReview). This PR must get ARMSignedOff label from an ARM reviewer.
  This PR has ARMChangesRequested label. Please address or respond to feedback from the ARM API reviewer.
  When you are ready to continue the ARM API review, please remove the ARMChangesRequested label.
  Automation should then add WaitForARMFeedback label.
  ❗If you don't have permissions to remove the label, request write access per aka.ms/azsdk/access#request-access-to-rest-api-or-sdk-repositories.
  For details of the ARM review, see aka.ms/azsdk/pr-arm-review
  
• ❌ The required check named Automated merging requirements met has failed. This is the final check that must pass. Refer to the check in the PR's 'Checks' tab for details on how to fix it and consult the aka.ms/ci-fix guide. In addition, refer to step 4 in the PR workflow diagram

[openapi-pipeline-app]

PR validation pipeline restarted successfully. If there is ApiView generated, it will be updated in this comment.

[github-actions]

API Change Check

APIView identified API level changes in this PR and created the following API reviews

Language	API Review for Package
Swagger	Microsoft.Cdn
Go	sdk/resourcemanager/cdn/armcdn
Java	com.azure.resourcemanager:azure-resourcemanager-cdn-generated
JavaScript	@azure/arm-cdn
Python	azure-mgmt-cdn

[jessicl-ms]

Cherry-picked public preview features mTLS and Deployment Versions from PR in private repo https://github.com/Azure/azure-rest-api-specs-pr/pull/22280, which has already received ARMSignedOff. Please refer to this PR for previous review comments.

[pshao25]

Please check out the email titled "IMPORTANT: Your service is scheduled to be converted to TypeSpec in July". Any changes directly on swagger is not allowed. Contact "Janine Zhang [email protected]" and "Matthew Gertz [email protected]" for details.

[ramoka178]

  "post": {

why is this a POST ? looks like this is created a deploymentVersion. It should be PUT right ? It also has GET and PATCH APIs too.

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:3482 in ac96281. [](commit_id = ac96281, deletion_comment = False)

[ramoka178]

"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/profiles/{profileName}/deploymentVersions/{versionName}/approve": {

have a verb+action format. say approveDeploymentVersion ?

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:3481 in ac96281. [](commit_id = ac96281, deletion_comment = False)

[ramoka178]

"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/profiles/{profileName}/deploymentVersions/{versionName}/compare": {

have a verb+action format. say compareDeploymentVersion ?

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:3538 in ac96281. [](commit_id = ac96281, deletion_comment = False)

[ramoka178]

      "final-state-via": "azure-async-operation"

202 schema body says headers has location. fix the inconsistency.

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:3534 in ac96281. [](commit_id = ac96281, deletion_comment = False)

[TimLovellSmith]

      "description": "Set to Disabled by default. If set to Enabled, mutual TLS connection can be established without client certificate.",

Isn't that self-contradictory? How is it mutual if you don't know who the client is?
Do you mean fall back to regular non-mutual TLS ?

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:4501 in 13e1cf8. [](commit_id = 13e1cf8, deletion_comment = False)

[TimLovellSmith]

      "description": "Set to Disabled by default. If set to Enabled, only custom domains with mTLS enabled can be added to child Route resources.",

Could you walk me through the thinking around defaults here?

If mTLS is better security, disabled by default doesn't sound very much like 'secure by default'.

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:5044 in 13e1cf8. [](commit_id = 13e1cf8, deletion_comment = False)

[TimLovellSmith]

      "description": "Certificate thumbprint.",

SHA1 yes?

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:5269 in f3c3d8f. [](commit_id = f3c3d8f, deletion_comment = False)

[TimLovellSmith]

      "description": "Certificate thumbprint.",

I'd like to include you in some info I recently heard that crypto team wants us to stop supporting only SHA1 hashes, since SHA1 is no longer considered unforgeable.

Can you please add support for other thumbprint algorithms? (not necessarily in this API version)

---

In reply to: 3030821251

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:5269 in 13e1cf8. [](commit_id = 13e1cf8, deletion_comment = False)

[TimLovellSmith]

      "type": "string",

is ISO 8601 the same as putting "format": "date-time"? (I always forget)
Hmm apparently format date-time is
RFC 3339, section 5.6,....

"RFC 3339 is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar123. While there are some small differences, they are not significant12."

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:5346 in 13e1cf8. [](commit_id = 13e1cf8, deletion_comment = False)

[TimLovellSmith]

      "type": "string",

https://stackoverflow.com/questions/522251/whats-the-difference-between-iso-8601-and-rfc-3339-date-formats

---

In reply to: 3030829434

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:5346 in 13e1cf8. [](commit_id = 13e1cf8, deletion_comment = False)

[TimLovellSmith]

      "type": "string",

So I guess you could go with "format": "date-time" then.

---

In reply to: 3030837872

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:5346 in 13e1cf8. [](commit_id = 13e1cf8, deletion_comment = False)

[TimLovellSmith]

    "creationTime": {

wouldn't just 'createdAt' or 'creationTimeUtc' also follow naming guidelines?

---

In reply to: 3014174663

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:6248 in ac96281. [](commit_id = ac96281, deletion_comment = False)

[TimLovellSmith]

    "approvalTime": {

same, how about just 'approvalTimeUtc' or 'approvedAt'

---

In reply to: 3014174688

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:6253 in ac96281. [](commit_id = ac96281, deletion_comment = False)

[TimLovellSmith]

    "approvalTime": {

although.. does it sometimes really mean 'disapprovedAt'? (also, is approval one-way?)

---

In reply to: 3030855521

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:6253 in ac96281. [](commit_id = ac96281, deletion_comment = False)

[TimLovellSmith]

        "Approved"

How about Rejected? Or Canceled? For people who don't want things to sit around unapproved forever but don't want to approve them? (or can't now because its too late)

---

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:6264 in 13e1cf8. [](commit_id = 13e1cf8, deletion_comment = False)

[TimLovellSmith]

So do they have to be SSL certs specifically? No magic self-signed certs here? Just wondering.

[TimLovellSmith]

have a verb+action format. say compareDeploymentVersion ?

I think its okay as is? CompareDeploymentVersions seems a bit redundant in the context of deploymentVersion resources?

[TimLovellSmith]

Overall comment regarding all the naming discussion, lets refer to

https://github.com/microsoft/api-guidelines/blob/vNext/azure/ConsiderationsForServiceDesign.md#common-names

[shaowan-msft]

    "approvalTime": {

although.. does it sometimes really mean 'disapprovedAt'? (also, is approval one-way?)

In reply to: 3030855521

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:6253 in ac96281. [](commit_id = ac96281, deletion_comment = False)

Approval is one-way action, it does not mean disApproveAt

[shaowan-msft]

    "creationTime": {

wouldn't just 'createdAt' or 'creationTimeUtc' also follow naming guidelines?

In reply to: 3014174663

Refers to: specification/cdn/resource-manager/Microsoft.Cdn/preview/2025-05-01-preview/afdx.json:6248 in ac96281. [](commit_id = ac96281, deletion_comment = False)

Thanks for sharing the common names guide. And yes I admit CreatedAt/ApprovedAt is better. May I ask is the renaming a MUST FIX? Because it will require to change code and re-deploy. Or can we wait for next version fix the naming?