This assumes that you are running elasticsearch on a different server than you are running the fusionauth instances. If they are on the same server, you should be fine, as that is the default configuration.
The first is at the network level, using a firewall or something like security groups on AWS. If you are doing this, you can configure the server that elasticsearch is installed on to accept requests only from the server that FusionAuth is installed on.
The second is to use basic authentication. That is, set fusionauth-search.servers in the fusionauth.properties file, or the FUSIONAUTH_SEARCH_SERVERS environment variable to include the basic username and password. https://user:firstname.lastname@example.org. And make sure to set up elastic to use basic auth, using whatever authentication source you'd like. (You could even go meta and have elasticsearch auth the user against the fusionauth instance ).
If you're already using a load balancer or a similar technology that provides routing rules, these are easy to configure.
You can also use managed IP locking (limiting access to a certain set of IP addresses), or some other type of HTTP header on the request to limit access to the FusionAuth admin UI to authorized users and treat all other traffic to anything under /admin for end users as an invalid request. These types of solutions are best handled at the network layer or with a proxy.