diff --git a/credentials/google/google_test.go b/credentials/google/google_test.go
index 6a6e492ee77d..8c08712087df 100644
--- a/credentials/google/google_test.go
+++ b/credentials/google/google_test.go
@@ -101,7 +101,7 @@ func TestClientHandshakeBasedOnClusterName(t *testing.T) {
 			{
 				name: "with CFE cluster name",
 				ctx: icredentials.NewClientHandshakeInfoContext(context.Background(), credentials.ClientHandshakeInfo{
-					Attributes: internal.SetXDSHandshakeClusterName(resolver.Address{}, cfeClusterName).Attributes,
+					Attributes: internal.SetXDSHandshakeClusterName(resolver.Address{}, "google_cfe_bigtable.googleapis.com").Attributes,
 				}),
 				// CFE should use tls.
 				wantTyp: "tls",
diff --git a/credentials/google/xds.go b/credentials/google/xds.go
index 588c685e2592..b8c2e8f9204c 100644
--- a/credentials/google/xds.go
+++ b/credentials/google/xds.go
@@ -21,18 +21,19 @@ package google
 import (
 	"context"
 	"net"
+	"strings"
 
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/internal"
 )
 
-const cfeClusterName = "google-cfe"
+const cfeClusterNamePrefix = "google_cfe_"
 
 // clusterTransportCreds is a combo of TLS + ALTS.
 //
 // On the client, ClientHandshake picks TLS or ALTS based on address attributes.
 // - if attributes has cluster name
-//   - if cluster name is "google_cfe", use TLS
+//   - if cluster name has prefix "google_cfe_", use TLS
 //   - otherwise, use ALTS
 // - else, do TLS
 //
@@ -55,7 +56,7 @@ func (c *clusterTransportCreds) ClientHandshake(ctx context.Context, authority s
 		return c.tls.ClientHandshake(ctx, authority, rawConn)
 	}
 	cn, ok := internal.GetXDSHandshakeClusterName(chi.Attributes)
-	if !ok || cn == cfeClusterName {
+	if !ok || strings.HasPrefix(cn, cfeClusterNamePrefix) {
 		return c.tls.ClientHandshake(ctx, authority, rawConn)
 	}
 	// If attributes have cluster name, and cluster name is not cfe, it's a