Is it possible to restrict access to elastic deployment only from AWS EC2 instances that are part of a particular VPN?
Of course, network security is multi-faceted... (you can implement your own FWs, VPC controls, Private link etc..etc..)
Here are the built-in features for self-managed elasticsearch