Protect ElasticSearch port(s) on Amazon EC2 instances

I didn't get it working to avoid opening the 9300 port. In the manual
it is stated that I need to open the port and when I do not open the
port the instances do not discover themself as a cluster (I see an
exception when they try to access the other machine). I guess there
has to happen some magic with the security group or is it not