gcp/cloudsql: add PSC support via cloud-sql-go-connector (backwards compatible)

Add cloud.google.com/go/cloudsqlconn alongside the existing cloudsql-proxy
dependency. URLOpener now accepts both a Dialer (new, supports PSC and
explicit IP type selection) and CertSource (existing, deprecated). Dialer
takes precedence when both are set. Default URL-based access uses Dialer
internally, preserving auto-IP behavior. Adds IPType enum
(Auto/Public/Private/PSC) and ip_type URL query parameter support.
CertSource remains fully functional — no breaking changes.

Fixes #3670.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: aplr

gcp/cloudsql/cloudsql.go

@@ -17,6 +17,9 @@
 package cloudsql // import "gocloud.dev/gcp/cloudsql"
 
 import (
+	"context"
+
+	"cloud.google.com/go/cloudsqlconn"
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/certs"
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/proxy"
 	"github.com/google/wire"
@@ -26,18 +29,86 @@ import (
 
 // CertSourceSet is a Wire provider set that binds a Cloud SQL proxy
 // certificate source from an GCP-authenticated HTTP client.
+//
+// Deprecated: Use DialerSet instead, which supports PSC and explicit IP type
+// selection via URLOpener.IPType or the "ip_type" URL query parameter.
 var CertSourceSet = wire.NewSet(
 	NewCertSource,
 	wire.Bind(new(proxy.CertSource), new(*certs.RemoteCertSource)))
 
 // NewCertSource creates a local certificate source that uses the given
 // HTTP client. The client is assumed to make authenticated requests.
+//
+// Deprecated: Use NewDialer instead.
 func NewCertSource(c *gcp.HTTPClient) *certs.RemoteCertSource {
 	return certs.NewCertSourceOpts(&c.Client, certs.RemoteOpts{})
 }
 
-// NewCertSourceWithIAM creates a local certificate source, including Token source for token information used in
-// cert creation, that uses the given HTTP client. The client is assumed to make authenticated requests.
+// NewCertSourceWithIAM creates a local certificate source, including Token
+// source for token information used in cert creation, that uses the given HTTP
+// client. The client is assumed to make authenticated requests.
+//
+// Deprecated: Use NewDialerWithIAM instead.
 func NewCertSourceWithIAM(c *gcp.HTTPClient, t oauth2.TokenSource) *certs.RemoteCertSource {
 	return certs.NewCertSourceOpts(&c.Client, certs.RemoteOpts{EnableIAMLogin: true, TokenSource: t})
 }
+
+// DialerSet is a Wire provider set that binds a Cloud SQL Dialer from a GCP
+// token source. Use this instead of CertSourceSet when PSC or explicit IP type
+// selection is required.
+var DialerSet = wire.NewSet(NewDialer)
+
+// IPType specifies the type of IP address to use when connecting to a Cloud SQL instance.
+type IPType int
+
+const (
+	// IPTypeAuto uses a public IP if one is assigned to the instance; otherwise
+	// falls back to private IP. This is the default and matches the behavior of
+	// the legacy cloudsql-proxy v1 (equivalent to --auto-ip).
+	IPTypeAuto IPType = iota
+	// IPTypePublic uses the instance's public IP address.
+	IPTypePublic
+	// IPTypePrivate uses the instance's private IP address (requires VPC peering).
+	IPTypePrivate
+	// IPTypePSC uses a Private Service Connect endpoint.
+	IPTypePSC
+)
+
+// DialOptions returns the cloudsqlconn.DialOption(s) for this IPType.
+func (t IPType) DialOptions() []cloudsqlconn.DialOption {
+	switch t {
+	case IPTypePublic:
+		return []cloudsqlconn.DialOption{cloudsqlconn.WithPublicIP()}
+	case IPTypePrivate:
+		return []cloudsqlconn.DialOption{cloudsqlconn.WithPrivateIP()}
+	case IPTypePSC:
+		return []cloudsqlconn.DialOption{cloudsqlconn.WithPSC()}
+	default: // IPTypeAuto
+		return []cloudsqlconn.DialOption{cloudsqlconn.WithAutoIP()}
+	}
+}
+
+// NewDialer creates a Cloud SQL Dialer using the given OAuth2 token source.
+// The returned cleanup function must be called when the dialer is no longer needed.
+func NewDialer(ctx context.Context, ts oauth2.TokenSource) (*cloudsqlconn.Dialer, func(), error) {
+	d, err := cloudsqlconn.NewDialer(ctx, cloudsqlconn.WithTokenSource(ts))
+	if err != nil {
+		return nil, func() {}, err
+	}
+	return d, func() { d.Close() }, nil
+}
+
+// NewDialerWithIAM creates a Cloud SQL Dialer with IAM authentication enabled,
+// using the given OAuth2 token source. IAM authentication allows passwordless
+// connections to Cloud SQL instances.
+// The returned cleanup function must be called when the dialer is no longer needed.
+func NewDialerWithIAM(ctx context.Context, ts oauth2.TokenSource) (*cloudsqlconn.Dialer, func(), error) {
+	d, err := cloudsqlconn.NewDialer(ctx,
+		cloudsqlconn.WithIAMAuthNTokenSources(ts, ts),
+		cloudsqlconn.WithIAMAuthN(),
+	)
+	if err != nil {
+		return nil, func() {}, err
+	}
+	return d, func() { d.Close() }, nil
+}

go.mod

@@ -14,9 +14,10 @@
 
 module gocloud.dev
 
-go 1.25.0
+go 1.25.7
 
 require (
+	cloud.google.com/go/cloudsqlconn v1.20.2
 	cloud.google.com/go/compute/metadata v0.9.0
 	cloud.google.com/go/firestore v1.21.0
 	cloud.google.com/go/iam v1.5.3
@@ -124,6 +125,7 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/martian/v3 v3.3.3 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect

go.sum

@@ -33,6 +33,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/cloudsqlconn v1.20.2 h1:r1BFbgxKA7h0jY13pGk8wBueUeLhqF27e5Hyaxl8Ua8=
+cloud.google.com/go/cloudsqlconn v1.20.2/go.mod h1:cGBrxU+pKs1NppBkecFC+rKn9B5GnEdlz7XrHbuwn7E=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
@@ -244,12 +246,16 @@ github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
+github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
+github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
+github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@@ -340,6 +346,26 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
+github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
+github.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w=
+github.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM=
+github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
+github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag=
+github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgtype v1.14.4 h1:fKuNiCumbKTAIxQwXfB/nsrnkEI6bPJrrSiMKgbJ2j8=
+github.com/jackc/pgtype v1.14.4/go.mod h1:aKeozOde08iifGosdJpz9MBZonJOUJxqNpPBcMJTlVA=
+github.com/jackc/pgx/v4 v4.18.3 h1:dE2/TrEsGX3RBprb3qryqSV9Y60iZN1C6i8IrmW9/BA=
+github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -358,6 +384,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lib/pq v1.12.0 h1:mC1zeiNamwKBecjHarAr26c/+d8V5w/u4J0I/yASbJo=
 github.com/lib/pq v1.12.0/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
+github.com/microsoft/go-mssqldb v1.9.8 h1:d4IFMvF/o+HdpXUqbBfzHvn/NlFA75YGcfHUUvDFJEM=
+github.com/microsoft/go-mssqldb v1.9.8/go.mod h1:eGSRSGAW4hKMy5YcAenhCDjIRm2rhqIdmmwgciMzLus=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
@@ -367,6 +395,8 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
 github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

mysql/gcpmysql/gcpmysql.go

@@ -24,6 +24,17 @@
 // To customize the URL opener, or for more details on the URL format,
 // see URLOpener.
 //
+// # IP Type
+//
+// By default, connections use auto-IP selection (public IP if available,
+// otherwise private IP), matching the behavior of the legacy cloudsql-proxy.
+// To use a specific IP type, set URLOpener.IPType or pass the "ip_type" query
+// parameter in the URL (requires URLOpener.Dialer to be set):
+//
+//	gcpmysql://user:pass@project/region/instance/dbname?ip_type=psc
+//
+// Valid values for ip_type: auto, public, private, psc.
+//
 // See https://gocloud.dev/concepts/urls/ for background information.
 package gcpmysql // import "gocloud.dev/mysql/gcpmysql"
 
@@ -37,6 +48,7 @@ import (
 	"strings"
 	"sync"
 
+	"cloud.google.com/go/cloudsqlconn"
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/proxy"
 	"github.com/XSAM/otelsql"
 	"github.com/go-sql-driver/mysql"
@@ -68,13 +80,13 @@ func (o *lazyCredsOpener) OpenMySQLURL(ctx context.Context, u *url.URL) (*sql.DB
 			o.err = err
 			return
 		}
-		client, err := gcp.NewHTTPClient(gcp.DefaultTransport(), creds.TokenSource)
+		// Ignore cleanup: the dialer lives for the process lifetime in this global opener.
+		d, _, err := cloudsql.NewDialer(ctx, creds.TokenSource)
 		if err != nil {
 			o.err = err
 			return
 		}
-		certSource := cloudsql.NewCertSource(client)
-		o.opener = &URLOpener{CertSource: certSource}
+		o.opener = &URLOpener{Dialer: d}
 	})
 	if o.err != nil {
 		return nil, fmt.Errorf("gcpmysql open %v: %v", u, o.err)
@@ -85,35 +97,72 @@ func (o *lazyCredsOpener) OpenMySQLURL(ctx context.Context, u *url.URL) (*sql.DB
 // URLOpener opens Cloud MySQL URLs like
 // "gcpmysql://user:password@project/region/instance/dbname".
 type URLOpener struct {
+	// Dialer creates Cloud SQL connections using the Cloud SQL Go Connector.
+	// Supports PSC and explicit IP type selection via IPType or the "ip_type"
+	// URL query parameter.
+	// If both Dialer and CertSource are set, Dialer takes precedence.
+	Dialer *cloudsqlconn.Dialer
+
 	// CertSource specifies how the opener will obtain authentication information.
-	// CertSource must not be nil.
+	//
+	// Deprecated: Use Dialer instead. CertSource does not support PSC or
+	// explicit IP type selection. Ignored if Dialer is also set.
 	CertSource proxy.CertSource
 
 	// TraceOpts contains options for OpenTelemetry.
 	TraceOpts []otelsql.Option
+
+	// IPType controls which IP address type is used to connect to the Cloud SQL
+	// instance. Only applies when Dialer is set; ignored for CertSource connections.
+	// Defaults to IPTypeAuto (public IP if available, otherwise private).
+	// Can be overridden per-URL via the "ip_type" query parameter.
+	IPType cloudsql.IPType
 }
 
 // OpenMySQLURL opens a new GCP database connection wrapped with OpenTelemetry instrumentation.
 func (uo *URLOpener) OpenMySQLURL(ctx context.Context, u *url.URL) (*sql.DB, error) {
-	if uo.CertSource == nil {
-		return nil, fmt.Errorf("gcpmysql: URLOpener CertSource is nil")
+	if uo.Dialer == nil && uo.CertSource == nil {
+		return nil, fmt.Errorf("gcpmysql: URLOpener Dialer and CertSource are both nil")
 	}
-	var (
-		client   = &proxy.Client{Certs: uo.CertSource, Port: 3307}
-		cfg, err = configFromURL(u)
-	)
+
+	cfg, err := configFromURL(u)
 	if err != nil {
 		return nil, fmt.Errorf("gcpmysql: open config %v", err)
 	}
-	cfg.DialFunc = func(ctx context.Context, _, addr string) (net.Conn, error) {
-		// MySQL driver's addr is in the form "[host]:3306" after normalized.
-		// https://github.com/go-sql-driver/mysql/blob/76c00e35a8d48f8f70f0e7dffe584692bd3fa612/dsn.go#L193-L195
-		instance, _, err := net.SplitHostPort(addr)
-		if err != nil {
-			return nil, err
+
+	if uo.Dialer != nil {
+		// New path: Cloud SQL Go Connector with IP type and PSC support.
+		ipType := uo.IPType
+		if s := u.Query().Get("ip_type"); s != "" {
+			parsed, err := parseIPType(s)
+			if err != nil {
+				return nil, fmt.Errorf("gcpmysql: open: %v", err)
+			}
+			ipType = parsed
+		}
+		dialOpts := ipType.DialOptions()
+		d := uo.Dialer
+		cfg.DialFunc = func(ctx context.Context, _, addr string) (net.Conn, error) {
+			// MySQL driver's addr is in the form "[host]:3306" after normalized.
+			// https://github.com/go-sql-driver/mysql/blob/76c00e35a8d48f8f70f0e7dffe584692bd3fa612/dsn.go#L193-L195
+			instance, _, err := net.SplitHostPort(addr)
+			if err != nil {
+				return nil, err
+			}
+			return d.Dial(ctx, instance, dialOpts...)
+		}
+	} else {
+		// Legacy path: cloudsql-proxy v1 (no PSC or IP type selection).
+		client := &proxy.Client{Certs: uo.CertSource, Port: 3307}
+		cfg.DialFunc = func(ctx context.Context, _, addr string) (net.Conn, error) {
+			instance, _, err := net.SplitHostPort(addr)
+			if err != nil {
+				return nil, err
+			}
+			return client.DialContext(ctx, instance)
 		}
-		return client.DialContext(ctx, instance)
 	}
+
 	c, err := mysql.NewConnector(cfg)
 	if err != nil {
 		return nil, fmt.Errorf("gcpmysql: open connector %v", err)
@@ -127,10 +176,14 @@ func configFromURL(u *url.URL) (*mysql.Config, error) {
 		return nil, err
 	}
 
+	// Strip ip_type from query before passing to MySQL DSN parser.
+	query := u.Query()
+	query.Del("ip_type")
+
 	var cfg *mysql.Config
 	switch {
-	case len(u.RawQuery) > 0:
-		optDsn := fmt.Sprintf("/%s?%s", dbName, u.RawQuery)
+	case len(query) > 0:
+		optDsn := fmt.Sprintf("/%s?%s", dbName, query.Encode())
 		if cfg, err = mysql.ParseDSN(optDsn); err != nil {
 			return nil, err
 		}
@@ -161,3 +214,18 @@ func instanceFromURL(u *url.URL) (instance, db string, _ error) {
 	}
 	return parts[0] + ":" + parts[1] + ":" + parts[2], parts[3], nil
 }
+
+func parseIPType(s string) (cloudsql.IPType, error) {
+	switch strings.ToLower(s) {
+	case "auto", "":
+		return cloudsql.IPTypeAuto, nil
+	case "public":
+		return cloudsql.IPTypePublic, nil
+	case "private":
+		return cloudsql.IPTypePrivate, nil
+	case "psc":
+		return cloudsql.IPTypePSC, nil
+	default:
+		return 0, fmt.Errorf("unknown ip_type %q (valid: auto, public, private, psc)", s)
+	}
+}