Private-Zone Route53 Health Checks

My customer is interested in monitoring and creating alerts for private-zone Route53 health checks. Their goal is to verify that internal DNS resolution remains available and working in AWS.

I think you perhaps misunderstand what Route 53 Health Checks are for. They do not verify that DNS resolution is available. They verify that tcp/http/https endpoints (usually IPs) are answering. In many cases, this allows Route 53 DNS records to be dynamically updated to include health endpoints only.

Is there a way to monitor Private-Zone Route53 health checks?

Health checks do not monitor DNS zones, they monitor tcp/http/https service endpoints.

If you mean to ask "is there is a way to health check endpoints privately inside a VPC?", the answer is "not directly today, but there are workarounds". Some customers do this by giving their VPC service a public IP and restricting connectivity to it exclusively to the health checker's public IPs (which are published). You can then use that health check to dynamically update a DNS entry in a private hosted zone.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-healthcheck.html

"Route 53 health checkers are outside the VPC. To check the health of an endpoint within a VPC by IP address, you must assign a public IP address to the instance in the VPC."

There are other ways this can be done indirectly also, e.g.:

https://aws.amazon.com/blogs/networking-and-content-delivery/performing-route-53-health-checks-on-private-resources-in-a-vpc-with-aws-lambda-and-amazon-cloudwatch/

All health checks get CloudWatch metrics, so you can set alarms on them.

Does the SLA below include private-zone Route53 as well? https://aws.amazon.com/route53/sla/

The SLA explicitly includes Private DNS. "This Amazon Route 53 Service Level Agreement (“SLA”) is a policy governing the use of Amazon Route 53 (including Private DNS) "