How make our Elastic cluster is secure for replica creation from outside cluster machines?

I have an Elasticsearch cluster (6.4.0) with one Master node and one data node .
Xpack is enabled in both machines. Both machines are working well .

Indexes are available in both machines

user:elastic and p/w: changeme in both machines.

Master node: (IP : 192.168.1.1)
node.master: true
node.data: false
discovery.zen.ping.unicast.hosts: ["192.168.1.2"]

Data Node: (IP: 192.168.1.2)
node.master: false
node.data: true
discovery.zen.ping.unicast.hosts: ["192.168.1.1"]

My Question is ,

" discovery.zen.ping.unicast.hosts" is the only one option for for restrict index creation from any out side machines to our cluster ?

Is there any other security mechanism for restrict index/replica creation from a non cluster ES machine in our cluster ?

Is there any other security mechanism for restrict index/replica creation from a non cluster ES machine in our cluster ?

I understand that you are concerned about unknown nodes joining the cluster.

Node discovery and cluster formation is done through the transport network module.
Enabling Security allows you to enable authentication on the transport layer as part of configuring TLS.
In this case, only nodes that poses certificates (for their hosts) will be able to join the cluster.

Without TLS on the transport layer, you are right the cluster is vulnerable to being hijacked, unless there are other OS level (firewall) provisions.