diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2e5bb603e..b4585221a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,7 +46,7 @@ BUG FIXES:
 * Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212))
 * Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
-
+* Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 COMPONENTS:
 
 ## 0.19.1
diff --git a/templates/workspace_services/guacamole/.env.sample b/templates/workspace_services/guacamole/.env.sample
index bd6e4ba57..cadae76d2 100644
--- a/templates/workspace_services/guacamole/.env.sample
+++ b/templates/workspace_services/guacamole/.env.sample
@@ -17,6 +17,6 @@ GUAC_DRIVE_NAME="transfer"
 GUAC_DRIVE_PATH="/guac-transfer"
 GUAC_DISABLE_DOWNLOAD=true
 GUAC_DISABLE_UPLOAD=true
-IS_EXPOSED_EXTERNALLY=false
+IS_EXPOSED_EXTERNALLY=true
 image_name="guac-server"
 image_tag=""
diff --git a/templates/workspace_services/guacamole/porter.yaml b/templates/workspace_services/guacamole/porter.yaml
index e6f416491..c7009d1c0 100644
--- a/templates/workspace_services/guacamole/porter.yaml
+++ b/templates/workspace_services/guacamole/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole
-version: 0.12.5
+version: 0.12.6
 description: "An Azure TRE service for Guacamole"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/workspace_services/guacamole/terraform/data.tf b/templates/workspace_services/guacamole/terraform/data.tf
index 93d29f4d9..35b523ae8 100644
--- a/templates/workspace_services/guacamole/terraform/data.tf
+++ b/templates/workspace_services/guacamole/terraform/data.tf
@@ -71,3 +71,8 @@ data "azurerm_monitor_diagnostic_categories" "guacamole" {
     azurerm_linux_web_app.guacamole,
   ]
 }
+
+data "azurerm_service_plan" "workspace" {
+  name                = "plan-${var.workspace_id}"
+  resource_group_name = data.azurerm_resource_group.ws.name
+}
diff --git a/templates/workspace_services/guacamole/terraform/web_app.tf b/templates/workspace_services/guacamole/terraform/web_app.tf
index e81ddc284..c92190b9e 100644
--- a/templates/workspace_services/guacamole/terraform/web_app.tf
+++ b/templates/workspace_services/guacamole/terraform/web_app.tf
@@ -1,8 +1,3 @@
-data "azurerm_service_plan" "workspace" {
-  name                = "plan-${var.workspace_id}"
-  resource_group_name = data.azurerm_resource_group.ws.name
-}
-
 # we have to use user-assigned to break a cycle in the dependencies: app identity, kv-policy, secrets in app settings
 resource "azurerm_user_assigned_identity" "guacamole_id" {
   resource_group_name = data.azurerm_resource_group.ws.name
@@ -24,6 +19,7 @@ resource "azurerm_linux_web_app" "guacamole" {
   ftp_publish_basic_authentication_enabled       = false
   webdeploy_publish_basic_authentication_enabled = false
   tags                                           = local.workspace_service_tags
+  public_network_access_enabled                  = var.is_exposed_externally
 
   site_config {
     http2_enabled                                 = true