How to secure node-to-node communication?

After reading many tutorials, I have successfully secured HTTP access to my elasticsearch cluster by using nginx to reverse proxy http traffic through an ssl connection that requires basic auth. But I have not been able to find a tutorial on how to secure node-to-node communication. Unfortunately, I am quite the beginner at devops, so I don’t know where to begin.

I thought to use the same nginx setup, but the elasticsearch.yml does not have a setting for specifying basic auth username and passwords AFIK (like the kibana.yml does), so while I might encrypt communications, it would not be password protected, meaning (I guess?) a malicious node or user might still gain access or at least view unencrypted traffic.

The only alternative I came up with is to whitelist other elasticsearch node IPs, but this seems like a last resort, especially since the IPs may change frequently.

Is there a basic guide somewhere that discusses this? I’ve searched for the past 2 days but could not find one. There are many guides on securing http communication from a USER to the elasticsearch cluster, but none that I can find on node-to-node communication. If no guide is available, maybe just a finger in the right direction.

(I know Shield offers this, but my needs are limited to just encryption and auth for a single user.)

Still trying to work on this.

Is node-to-node communication already secure or is it in the clear?

I will be running this on AWS or VPS's.

Still trying to make headway on this a week later. ANY help would be appreciated. (Even a gentle pointing somewhere else would be very helpful to me.)

Seems to be unencrypted, take a look at this and this