Create a “production-elastic-search” security group and add it to all of your ES instances. Add a custom rule to allow traffic between instances in that security group - otherwise, they will not be able to see each other and connect to the cluster.
Custom TCP Rule / Protocol: TCP / Port Range: 9200-9400 / Source: sg-xxxxxx (the same sg-xxxxx as “production-elastic-search"
(You may need to also allow your own IP to access this security group to aid in debugging.)
Add all of the private IPs to the unicast property in your config file (on ALL instances)
discovery.zen.ping.unicast.hosts = ["<Private IP of ES instance 1>:9300", "<Private IP of ES instance 2>:9300", …]
discovery.zen.minimum_master_nodes = N/2 + 1, where N is # of master nodes
Note: this can probably be replaced by the aws plugin which relies on tags/security groups, now that we have the security group set up properly.