TLDR - Elasticsearch is not designed to be exposed to the internet.
To dig into this with more detail, here's more information taken from this topic.
This page in the docs says:
NOTE: Elasticsearch installations are not designed to be publicly accessible over the Internet. IP Filtering and the other capabilities of the Elasticsearch security features do not change this condition.
There's also this page which says:
Do not expose Elasticsearch to the Internet, instead have an application make requests on behalf of the Internet. Do not entertain the thought of having an application "sanitize" requests to Elasticsearch. Understand that it is possible for a sufficiently determined malicious user to write searches that overwhelm the Elasticsearch cluster and bring it down.
Ultimately, the level of risk you and you organisation are willing to accept will determine how you decide to approach this matter.