having an apache ACL makes monitoring easy as all accepted/rejected connections show up in access_log - I monitored it and nothing changed for PHX machines accessing the mirrors.

you can also make firewalld route to zones by source address with the '--add-source=' option. But anyway you can use what ever you are comfortable with.

We need to also verify that the mirrors remain accessible from all slaves, the jobs will transparently fail-over to the remote package sources if not.

firewalld zones are attached to interfaces and as the server just has one it will not allow filtering traffic out of the box. Custom iptables rules need to be invoked.

Instead I just applied an ACL in /etc/httpd/conf/httpd.conf to limit traffic sources, so now repos are only reachable from inside PHX:
http://mirrors.phx.ovirt.org/repos/

I think proper firewalld zone configuration would suffice. I'd set it in place myself but I haven't been able to find the time...

There still is some NAT from times when no route was in place but it can disappear at any moment so please leave access for RFC 1918 private networks.
this ticket is on me right now - is there anything I can help with regarding this ticket? Should I add ACLs to the web server config?

PS: an alternative would be to move mirrors into an internal VLAN, however in case we have external consumers in the future they may have problems accessing them.