diff --git a/internal/cba.go b/internal/cba.go
index 6923d3a716e..829383f55b5 100644
--- a/internal/cba.go
+++ b/internal/cba.go
@@ -274,8 +274,8 @@ func shouldUseS2A(clientCertSource cert.Source, settings *DialSettings) bool {
 	if !isGoogleS2AEnabled() {
 		return false
 	}
-	// If DefaultMTLSEndpoint is not set, skip S2A.
-	if settings.DefaultMTLSEndpoint == "" {
+	// If DefaultMTLSEndpoint is not set and no endpoint override, skip S2A.
+	if settings.DefaultMTLSEndpoint == "" && settings.Endpoint == "" {
 		return false
 	}
 	// If MTLS is not enabled for this endpoint, skip S2A.
diff --git a/internal/cba_test.go b/internal/cba_test.go
index 761d8e7d07e..d6a783740e5 100644
--- a/internal/cba_test.go
+++ b/internal/cba_test.go
@@ -290,6 +290,17 @@ func TestGetHTTPTransportConfigAndEndpoint(t *testing.T) {
 			testRegularEndpoint,
 			true,
 		},
+		{
+			"no client cert, S2A address not empty, override endpoint is set",
+			&DialSettings{
+				DefaultMTLSEndpoint: "",
+				Endpoint:            testOverrideEndpoint,
+			},
+			validConfigResp,
+			func() bool { return true },
+			testOverrideEndpoint,
+			false,
+		},
 		{
 			"no client cert, endpoint is MTLS enabled, S2A address not empty, custom HTTP client",
 			&DialSettings{