Even if your flask app is not on the same server as the index, if you do have some flask app running on that server, that can serve as the layer between the user and elastic search.
All incoming queries to elasticsearch from wherever on the internet can talk to that app instead, through whatever port, and that app can then query elasticsearch. It would only support the kinds of queries you want users to be able to issue to elasticsearch. Even if the API for this app was something like:
{'query': 'your full es query goes here'}
you could have some string matching filters to prevent malicious queries. This wouldn't be ideal, but the point is you can control what gets to elasticsearch with the logic in that flask app.