diff --git a/api/envoy/api/v2/cds.proto b/api/envoy/api/v2/cds.proto
index 8e61b32b2c7a..719fe0f6ab91 100644
--- a/api/envoy/api/v2/cds.proto
+++ b/api/envoy/api/v2/cds.proto
@@ -126,71 +126,6 @@ message Cluster {
     LOAD_BALANCING_POLICY_CONFIG = 7;
   }
 
-  // TransportSocketMatch specifies what transport socket config will be used
-  // when the match conditions are satisfied.
-  message TransportSocketMatch {
-    // The name of the match, used in stats generation.
-    string name = 1 [(validate.rules).string.min_len = 1];
-
-    // Optional endpoint metadata match criteria.
-    // The connection to the endpoint with metadata matching what is set in this field
-    // will use the transport socket configuration specified here.
-    // The endpoint's metadata entry in *envoy.transport_socket* is used to match
-    // against the values specified in this field.
-    google.protobuf.Struct match = 2;
-
-    // The configuration of the transport socket.
-    core.TransportSocket transport_socket = 3;
-  }
-
-  // Configuration to use different transport sockets for different endpoints.
-  // The entry of *envoy.transport_socket* in the
-  // :ref:`LbEndpoint.Metadata <envoy_api_field_endpoint.LbEndpoint.metadata>`
-  // is used to match against the transport sockets as they appear in the list. The first
-  // :ref:`match <envoy_api_msg_Cluster.TransportSocketMatch>` is used.
-  // For example, with the following match
-  //
-  // .. code-block:: yaml
-  //
-  //  transport_socket_matches:
-  //  - name: "enableMTLS"
-  //    match:
-  //      acceptMTLS: true
-  //    transport_socket:
-  //      name: tls
-  //      config: { ... } # tls socket configuration
-  //  - name: "defaultToPlaintext"
-  //    match: {}
-  //    transport_socket:
-  //      name: "rawbuffer"
-  //
-  // Connections to the endpoints whose metadata value under *envoy.transport_socket*
-  // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
-  //
-  // If a :ref:`socket match <envoy_api_msg_Cluster.TransportSocketMatch>` with empty match
-  // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
-  // socket match in case above.
-  //
-  // If an endpoint metadata's value under *envoy.transport_socket* does not match any
-  // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
-  // *transport_socket* specified in this cluster.
-  //
-  // This field allows gradual and flexible transport socket configuration changes.
-  //
-  // The metadata of endpoints in EDS can indicate transport socket capabilities. For example,
-  // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true",
-  // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic
-  // has "acceptPlaintext": "true" metadata information.
-  //
-  // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS
-  // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding
-  // *TransportSocketMatch* in this field. Other client Envoys receive CDS without
-  // *transport_socket_match* set, and still send plain text traffic to the same cluster.
-  //
-  // TODO(incfly): add a detailed architecture doc on intended usage.
-  // [#not-implemented-hide:]
-  repeated TransportSocketMatch transport_socket_matches = 43;
-
   // When V4_ONLY is selected, the DNS resolver will only perform a lookup for
   // addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will
   // only perform a lookup for addresses in the IPv6 family. If AUTO is
@@ -217,6 +152,23 @@ message Cluster {
     USE_DOWNSTREAM_PROTOCOL = 1;
   }
 
+  // TransportSocketMatch specifies what transport socket config will be used
+  // when the match conditions are satisfied.
+  message TransportSocketMatch {
+    // The name of the match, used in stats generation.
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Optional endpoint metadata match criteria.
+    // The connection to the endpoint with metadata matching what is set in this field
+    // will use the transport socket configuration specified here.
+    // The endpoint's metadata entry in *envoy.transport_socket* is used to match
+    // against the values specified in this field.
+    google.protobuf.Struct match = 2;
+
+    // The configuration of the transport socket.
+    core.TransportSocket transport_socket = 3;
+  }
+
   // Extended cluster type.
   message CustomClusterType {
     // The type of the cluster to instantiate. The name must match a supported cluster type.
@@ -486,6 +438,54 @@ message Cluster {
 
   reserved 12, 15;
 
+  // Configuration to use different transport sockets for different endpoints.
+  // The entry of *envoy.transport_socket* in the
+  // :ref:`LbEndpoint.Metadata <envoy_api_field_endpoint.LbEndpoint.metadata>`
+  // is used to match against the transport sockets as they appear in the list. The first
+  // :ref:`match <envoy_api_msg_Cluster.TransportSocketMatch>` is used.
+  // For example, with the following match
+  //
+  // .. code-block:: yaml
+  //
+  //  transport_socket_matches:
+  //  - name: "enableMTLS"
+  //    match:
+  //      acceptMTLS: true
+  //    transport_socket:
+  //      name: tls
+  //      config: { ... } # tls socket configuration
+  //  - name: "defaultToPlaintext"
+  //    match: {}
+  //    transport_socket:
+  //      name: "rawbuffer"
+  //
+  // Connections to the endpoints whose metadata value under *envoy.transport_socket*
+  // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
+  //
+  // If a :ref:`socket match <envoy_api_msg_Cluster.TransportSocketMatch>` with empty match
+  // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
+  // socket match in case above.
+  //
+  // If an endpoint metadata's value under *envoy.transport_socket* does not match any
+  // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
+  // *transport_socket* specified in this cluster.
+  //
+  // This field allows gradual and flexible transport socket configuration changes.
+  //
+  // The metadata of endpoints in EDS can indicate transport socket capabilities. For example,
+  // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true",
+  // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic
+  // has "acceptPlaintext": "true" metadata information.
+  //
+  // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS
+  // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding
+  // *TransportSocketMatch* in this field. Other client Envoys receive CDS without
+  // *transport_socket_match* set, and still send plain text traffic to the same cluster.
+  //
+  // TODO(incfly): add a detailed architecture doc on intended usage.
+  // [#not-implemented-hide:]
+  repeated TransportSocketMatch transport_socket_matches = 43;
+
   // Supplies the name of the cluster which must be unique across all clusters.
   // The cluster name is used when emitting
   // :ref:`statistics <config_cluster_manager_cluster_stats>` if :ref:`alt_stat_name