Week 1 · Day 5

Networking for DevOps

DNS, HTTP, TCP/IP, ports, TLS certificates, curl debugging, and load balancers — everything you need to understand what's happening between your code and the user, and how to debug it when it breaks.

⏱ Duration 60 min

📖 Theory 30 min

🔧 Lab 25 min

❓ Quiz 5 min

🐧 Linux / Mac — curl, dig, netstat, openssl 🪟 Windows — Test-NetConnection, Resolve-DnsName, Invoke-WebRequest

Session Overview

What we cover today

01

OSI Model — The 3 Layers You'll Debug

Network (IP), Transport (TCP/UDP/ports), Application (HTTP/DNS). Forget the rest.

02

DNS — How Hostnames Resolve

A records, CNAME, TTL, dig/nslookup, and how to debug DNS failures.

03

TCP/IP, Ports & Firewalls

How connections are established, port scanning, netstat, and common service ports.

04

HTTP/HTTPS & Status Codes

All status code families, headers that matter, curl as your swiss-army knife.

05

TLS Certificates

How HTTPS works, certificate chains, expiry dates, and how expired certs cause outages.

06

Load Balancers & Reverse Proxies

Round-robin, health checks, nginx as a reverse proxy — how traffic reaches your app.

07

🔧 Lab — Network Debugging

dig, curl, netstat, openssl — diagnose real networking issues. Windows commands included.

Part 1 of 6

OSI Model — the 3 layers you'll debug

7

Application

HTTP, HTTPS, DNS, FTP, SMTP — what your app uses

← You live here

6

Presentation

Encryption (TLS), compression, encoding

5

Session

Session management between hosts

4

Transport

TCP (reliable), UDP (fast) — ports 0–65535

netstat · ss · nc

3.5

—

Firewalls, NAT rules, security groups operate between L3 and L4

3

Network

IP addresses, routing, subnets — can I reach that host?

ping · traceroute · ip

2

Data Link

MAC addresses, switches

1

Physical

Cables, fibre, Wi-Fi signals

The DevOps Debug Stack

When something is broken, work bottom up:
L3: ping host — can I reach it at all?
L4: nc -zv host 443 — is the port open?
L7: curl -v https://host — is the app responding?

💡 Memorise just 3 layers

L3 = IP (routing), L4 = TCP/ports (connection), L7 = HTTP/DNS (app). Layers 1, 2, 5, 6 — your cloud provider handles those. You debug 3, 4, and 7 daily.

Part 2 of 6

DNS — the internet's phone book

DNS Record Types

A Record — hostname → IPv4. api.app.com → 1.2.3.4
AAAA Record — hostname → IPv6
CNAME — alias → another hostname. www → app.com
MX Record — mail server for the domain
TXT Record — arbitrary text. Used for domain verification, SPF, DKIM
NS Record — authoritative nameservers for the domain
TTL — Time To Live: how long the record is cached (seconds)

DNS Resolution Flow

Browser checks local cache → OS cache (/etc/hosts) → Recursive resolver (your ISP/8.8.8.8) → Root nameserver → TLD nameserver (.com) → Authoritative nameserver → returns IP → browser connects.

🐧🪟 dig / nslookup

# dig (Linux/Mac/WSL2) — full detail
dig google.com              # Full DNS response
dig google.com A            # A records only
dig google.com MX           # Mail server records
dig +short google.com       # Just the IP(s)
dig @8.8.8.8 google.com    # Use Google's DNS server
dig +trace google.com       # Full resolution path

# nslookup (works on all platforms)
nslookup google.com
nslookup -type=MX gmail.com
nslookup google.com 8.8.8.8  # Query specific DNS server

# Check /etc/hosts (local overrides)
cat /etc/hosts               # Linux/Mac/WSL2

# Windows PowerShell native DNS
Resolve-DnsName google.com
Resolve-DnsName google.com -Type MX
Resolve-DnsName google.com -Server 8.8.8.8

💡 Debug tip — DNS not updating?

dig +short google.com shows what your system sees. Check the TTL — if it's 3600, old record cached for 1 hour. Use dig @8.8.8.8 to bypass local cache and query directly.

Part 3 of 6

TCP/IP, Ports & Firewalls

Common Service Ports

22SSH — secure remote shell 80HTTP — plain web traffic 443HTTPS — encrypted web traffic 3306MySQL / MariaDB 5432PostgreSQL 6379Redis 27017MongoDB 8080HTTP alternative / dev server 8443HTTPS alternative 9090Prometheus 3000Grafana / Node dev 2376Docker daemon (TLS)

TCP vs UDP

TCP — connection-oriented, reliable. 3-way handshake (SYN → SYN-ACK → ACK). Used by HTTP, SSH, databases. Guarantees delivery order.
UDP — connectionless, no guarantee. Faster. Used by DNS, video streaming, VoIP, gaming. "Fire and forget."

🐧🪟 Port Checking

# View listening ports (Linux/Mac/WSL2)
netstat -tlnp              # TCP listening, numeric, with PIDs
ss -tlnp                   # Newer, faster alternative to netstat
lsof -i :8080              # What process is using port 8080?

# Test if a remote port is open
nc -zv github.com 443      # netcat: port 443 open?
nc -zv 10.0.0.5 5432       # DB port reachable?
curl -s --connect-timeout 3 telnet://host:22 && echo "open"

# Trace the network path
traceroute google.com      # Linux/Mac
tracepath google.com       # Alternative (no sudo)

# Windows PowerShell equivalents
netstat -an                # All connections
Test-NetConnection -ComputerName github.com -Port 443
Test-NetConnection github.com -Port 443 -InformationLevel Detailed
tracert google.com         # Windows traceroute

⚠ Cloud Firewall / Security Groups

In cloud environments (Azure NSG, AWS Security Groups), traffic can be blocked even if the port is open on the server. If nc fails but the service is running, check cloud firewall rules — not the server.

Part 4 of 6

HTTP Status Codes — know them cold

2xx

Success

200 OK · 201 Created · 204 No Content · 206 Partial Content

3xx

Redirect

301 Moved Permanently · 302 Found (temp) · 304 Not Modified (cached)

4xx

Client Error

400 Bad Request · 401 Unauthorised · 403 Forbidden · 404 Not Found · 429 Rate Limited

5xx

Server Error

500 Internal Error · 502 Bad Gateway · 503 Unavailable · 504 Gateway Timeout

curl

Trick

-o /dev/null -s -w "%{http_code}" — print just the status code from curl

The Difference: 401 vs 403 vs 404

401 Unauthorized — Not authenticated. No valid token/session. Fix: log in / pass the Authorization header.
403 Forbidden — Authenticated but no permission. Fix: check RBAC roles, IAM policies, file permissions.
404 Not Found — Resource doesn't exist (or you're hiding its existence). Check the URL path.

The Difference: 500 vs 502 vs 503 vs 504

500 — App threw an unhandled exception. Check application logs.
502 Bad Gateway — nginx/load balancer received invalid response from upstream app. App is crashing.
503 Service Unavailable — App is down, overloaded, or in maintenance. Check health checks.
504 Gateway Timeout — Upstream took too long to respond. Check for slow DB queries or network latency.

Part 4 of 6 — continued

curl — your HTTP swiss-army knife

🐧🪟 curl (works on all platforms)

# === Basic requests ===
curl https://api.github.com             # GET request
curl -I https://google.com              # Headers only (HEAD)
curl -v https://httpbin.org/get         # Verbose — shows TLS + headers

# === Common flags ===
curl -L url                             # Follow redirects
curl -o file.json url                   # Save response to file
curl -s url                             # Silent (no progress bar)
curl --connect-timeout 5 url           # Timeout after 5 seconds

# === POST with JSON body ===
curl -X POST https://httpbin.org/post \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer mytoken" \
  -d '{"name":"devops","env":"prod"}'

# === Check status code only ===
curl -o /dev/null -s -w "%{http_code}" https://google.com
# Output: 200

# === Timing breakdown ===
curl -w "\n\nDNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTLS: %{time_appconnect}s\nTotal: %{time_total}s\n" \
  -o /dev/null -s https://google.com

# === Custom headers + auth ===
curl -H "X-API-Key: secret123" \
     -H "Accept: application/json" \
     https://api.example.com/users

🪟 Windows PowerShell — Invoke-WebRequest

Invoke-WebRequest https://google.com
Invoke-WebRequest -Uri url -Method HEAD
(Invoke-WebRequest url).StatusCode
Invoke-RestMethod https://api.url/endpoint (JSON)

curl.exe on Windows 10+:
curl.exe -I https://google.com (real curl!)

The curl Debugging Workflow

1. curl -I url — get status + headers fast
2. curl -v url — see everything (TLS, redirects)
3. curl -w "%{http_code}" -o /dev/null -s url — scripted status check
4. curl --connect-timeout 3 url — diagnose timeouts

💡 HTTP Headers That Matter

Authorization: Bearer <token> — API auth
Content-Type: application/json — request body type
X-Request-ID — trace a request through logs
Cache-Control — caching behaviour

Part 5 of 6

TLS Certificates — why HTTPS works and fails

How TLS Works (Simplified)

Browser connects to server on port 443
Server sends its TLS certificate (contains public key + identity)
Browser verifies certificate against trusted Certificate Authorities (CA)
If valid: encrypted session established using symmetric key
If invalid/expired: browser shows 🔴 "Your connection is not private"

Certificate Problems You'll Face

Expired cert — Most common outage cause. Set up alerts 30 days before expiry.
Wrong domain — cert issued for api.example.com but request goes to www.example.com
Self-signed — Not trusted by browsers. Fine for internal services, never for public.
Missing chain — Intermediate CA cert not installed on server
TLS version mismatch — Client requires TLS 1.2+ but server only has TLS 1.0

🐧🪟 TLS Certificate Commands

# Check certificate expiry date
echo | openssl s_client -connect google.com:443 -servername google.com 2>/dev/null \
  | openssl x509 -noout -dates
# notBefore=... notAfter=Dec 15 12:00:00 2025 GMT

# Full cert details (subject, issuer, SANs)
echo | openssl s_client -connect google.com:443 2>/dev/null \
  | openssl x509 -noout -text | grep -A2 "Subject:\|Not After\|DNS:"

# Quick expiry check with days remaining
domain="google.com"
expiry=$(echo | openssl s_client -connect $domain:443 -servername $domain 2>/dev/null \
  | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
echo "Expires: $expiry"

# Test TLS version + cipher
curl -v --tls-max 1.2 https://google.com 2>&1 | grep "SSL connection"

# Windows PowerShell
$req = [Net.HttpWebRequest]::Create("https://google.com")
$req.GetResponse() | Out-Null
$req.ServicePoint.Certificate.GetExpirationDateString()

💡 cert-manager for Kubernetes

In Kubernetes, cert-manager automatically issues and renews TLS certificates from Let's Encrypt. You never manually manage certs. We'll cover this in Week 6 (K8s).

⚠ Never Let Certs Expire in Production

Set up monitoring alerts 30 days before expiry. A Prometheus alert rule, a Datadog monitor, or even a simple cron job that runs the openssl check and emails you. Expired certs cause immediate outages — zero tolerance.

Part 6 of 6

Load Balancers & Reverse Proxies

What a Reverse Proxy Does

Sits in front of your app servers and:

Distributes traffic across multiple backend instances
Terminates TLS (handles HTTPS so your app doesn't have to)
Serves static files directly (no app server involved)
Caches responses to reduce backend load
Provides a single entry point for multiple services

Tools: nginx, HAProxy, Traefik, AWS ALB, Azure Application Gateway

Load Balancing Algorithms

Round Robin — Request 1→Server A, Request 2→Server B, Request 3→Server A… Default.
Least Connections — Send to the server with fewest active connections. Better for long-running requests.
IP Hash — Same client IP always goes to the same server. Needed for sticky sessions.
Weighted — Server A gets 70% of traffic, Server B gets 30%. For canary deployments.

nginx — Reverse Proxy Config

upstream backend {
    least_conn;                    # Algorithm: least connections
    server 10.0.0.1:8080;         # App server 1
    server 10.0.0.2:8080;         # App server 2
    server 10.0.0.3:8080 backup;  # Backup — only if others fail
}

server {
    listen 443 ssl;
    server_name api.example.com;

    ssl_certificate     /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;

    location / {
        proxy_pass         http://backend;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # Health check
        proxy_connect_timeout 3s;
        proxy_read_timeout    30s;
    }
}
# Health check endpoint (nginx checks this)
# If /health returns non-2xx: server removed from pool

Health Checks

Load balancers periodically hit a health endpoint (e.g. GET /health) on each backend. If it returns non-2xx or times out, that server is removed from the pool until it recovers. This is how rolling deployments achieve zero downtime.

Hands-On Lab

🔧 Network Debugging Lab

Use curl, dig, netstat, and openssl to diagnose real-world networking issues — on both Linux/Mac and Windows

⏱ 25 minutes

Terminal open ✓

🐧 WSL2/Mac/Linux OR 🪟 PowerShell

🔧 Lab — Steps

Network debugging exercises

1

DNS Resolution — dig or nslookup

Run dig google.com (Linux/Mac/WSL2) or Resolve-DnsName google.com (PowerShell). Note the A record IP, TTL value, and answer section.

2

HTTP debugging with curl

Run the curl commands on the next slide. Check headers, status codes, and try the timing breakdown command. Windows users: use curl.exe (real curl) or Invoke-WebRequest.

3

Check open ports on your machine

Linux/Mac/WSL2: netstat -tlnp or ss -tlnp. Windows: netstat -an | findstr LISTEN. Identify which ports are open and what services are using them.

4

TLS certificate inspection

Check google.com's cert expiry with openssl (Linux/Mac/WSL2). Then check github.com. Note the notAfter date and issuer.

5

Simulate HTTP error codes

Use httpbin.org to trigger 404, 429, 500, 503 responses and observe what curl outputs. Commit a notes file to your lab repo with your findings.

🔧 Lab — Commands

All lab commands

🐧🪟 WSL2 / Mac / Linux

# === DNS ===
dig google.com A            # A records
dig +short google.com       # Just IPs
dig @8.8.8.8 google.com    # via Google DNS
nslookup github.com         # Works on all platforms

# === HTTP ===
curl -I https://httpbin.org/get
curl -v https://httpbin.org/get 2>&1 | head -40
curl -o /dev/null -s -w "%{http_code}\n" https://google.com
curl -w "\nDNS:%{time_namelookup}s Connect:%{time_connect}s TLS:%{time_appconnect}s Total:%{time_total}s\n" \
  -o /dev/null -s https://github.com

# === Ports ===
netstat -tlnp 2>/dev/null || ss -tlnp
nc -zv github.com 443 && echo "Port 443 OPEN"

# === TLS ===
echo | openssl s_client -connect google.com:443 -servername google.com 2>/dev/null \
  | openssl x509 -noout -dates
echo | openssl s_client -connect github.com:443 -servername github.com 2>/dev/null \
  | openssl x509 -noout -dates

# === HTTP Error Simulation ===
for code in 200 301 400 404 429 500 503; do
  result=$(curl -o /dev/null -s -w "%{http_code}" "https://httpbin.org/status/$code")
  echo "Requested $code → Got: $result"
done

🪟 Windows PowerShell

# === DNS ===
Resolve-DnsName google.com
Resolve-DnsName google.com -Type A
Resolve-DnsName -Name google.com -Server 8.8.8.8
nslookup github.com        # works in PS too

# === HTTP ===
Invoke-WebRequest https://httpbin.org/get
(Invoke-WebRequest https://google.com).StatusCode
curl.exe -I https://httpbin.org/get   # real curl
curl.exe -o NUL -s -w "%{http_code}" https://google.com

# === Ports ===
netstat -an | Select-String "LISTEN"
Test-NetConnection -ComputerName github.com -Port 443
Test-NetConnection github.com -Port 443 -InformationLevel Detailed

# === TLS ===
$req = [Net.HttpWebRequest]::Create("https://google.com")
$req.GetResponse() | Out-Null
$req.ServicePoint.Certificate.GetExpirationDateString()

# === HTTP errors ===
200, 301, 404, 500 | ForEach-Object {
  $r = Invoke-WebRequest "https://httpbin.org/status/$_" -EA SilentlyContinue
  Write-Host "Status $_`: $($r.StatusCode)"
}

💡 Save your findings

Create notes/day5-networking.md in your lab repo. Note what each command output, the cert expiry dates, and any open ports you found. Commit with feat(day5): networking debug notes

📌 Reference

Network tools — complete cheatsheet

Task	🐧 Linux/Mac/WSL2	🪟 PowerShell	🪟 CMD / Windows
DNS lookup	dig domain.com	Resolve-DnsName domain.com	nslookup domain.com
Just the IP	dig +short domain.com	(Resolve-DnsName d.com).IPAddress	ping domain.com
Ping host	ping -c 4 host	ping host	ping host
Trace route	traceroute host	Test-NetConnection -TraceRoute host	tracert host
Test port open	nc -zv host port	Test-NetConnection host -Port port	telnet host port
Listening ports	ss -tlnp	netstat -an \| sls LISTEN	netstat -an \| find "LISTEN"
All connections	netstat -an	Get-NetTCPConnection	netstat -an
HTTP GET	curl https://url	Invoke-WebRequest url	curl.exe url
HTTP headers only	curl -I https://url	curl.exe -I url	curl.exe -I url
HTTP status code	curl -o /dev/null -s -w "%{http_code}" url	(Invoke-WebRequest url).StatusCode	—
TLS cert expiry	openssl s_client -connect h:443 \| openssl x509 -noout -dates	$req.ServicePoint.Certificate.GetExpirationDateString()	—
Local IP address	ip addr show / ifconfig	ipconfig	ipconfig

Real-World Scenario

Debugging a production incident

The Scenario

Alert fires at 2 AM: "api.example.com is returning 502 errors. 30% of requests failing." Users are complaining. You're on-call. What do you do?

🐧🪟 Debug Runbook

# Step 1: Verify the issue
curl -o /dev/null -s -w "%{http_code}" https://api.example.com/health
# → 502

# Step 2: Check DNS (is the domain resolving?)
dig +short api.example.com
# → 1.2.3.4 (DNS is fine)

# Step 3: Is the load balancer port open?
nc -zv api.example.com 443 && echo "LB port OPEN"
# → open (load balancer is up)

# Step 4: Is the backend app responding?
curl http://10.0.0.1:8080/health  # Direct to app server
# → curl: (7) Failed to connect — APP SERVER IS DOWN

# Step 5: Check app logs
ssh app-server-1
sudo journalctl -u myapp --since "10 min ago"
# → Out of memory! OOMKilled the process

# Step 6: Restart app, verify
sudo systemctl restart myapp
curl -o /dev/null -s -w "%{http_code}" https://api.example.com/health
# → 200 ✅

The Debugging Mental Model

Always work through the layers:

DNS — does the name resolve?
Network/Port — can I reach the host?
LB/Proxy — is nginx/ALB up?
App — is the backend process running?
Logs — what does the app say?
Resources — CPU, memory, disk full?

502 vs 503 vs 504

502 — LB got a bad response from app → app crashed or returned garbage
503 — LB can't connect to app → app not running, health check failing
504 — LB connected but app took too long → slow DB query, memory leak

Knowledge Check

❓ Quiz Time

3 questions · 5 minutes · DNS, HTTP codes, and TLS

Test your networking knowledge →

QUESTION 1 OF 3

What HTTP status code range indicates a server-side error — meaning the problem is with the server, not the client's request?

A

2xx — the request succeeded

B

3xx — the resource has moved

C

4xx — the client made a bad request

D

5xx — the server failed to fulfil a valid request

QUESTION 2 OF 3

Which DNS record type maps a hostname to an IPv4 address?

A

CNAME — canonical name alias

B

MX — mail exchange record

C

A — address record

D

TXT — text record

QUESTION 3 OF 3

Which curl flag shows only the HTTP response headers without downloading the response body?

A

-v — verbose mode (shows everything)

B

-I — sends a HEAD request, returns headers only

C

-H — sets a request header

D

-d — sends POST data

Day 5 — Complete

What you learned today

🧅

OSI 3 Layers

L3 IP (ping), L4 TCP/ports (nc), L7 HTTP/DNS (curl, dig). Debug bottom-up.

🔍

DNS

A records, CNAME, TTL. dig +short for IP. @8.8.8.8 to bypass local cache.

🔢

HTTP Codes

2xx✅ 3xx↩ 4xx🧑‍💻 5xx🖥. Know 200, 301, 401, 403, 404, 502, 503, 504.

🔒

TLS

openssl s_client to check cert expiry. Alert 30 days before. cert-manager automates in K8s.

Day 5 Action Items

Run every command from the lab — note outputs
Check 3 websites' TLS cert expiry dates with openssl
Commit notes/day5-networking.md to your lab repo
Run the incident walkthrough commands — understand each step

Tomorrow — Day 6 (Week 2 Starts!)

Git Fundamentals

Week 2 kicks off with Git deep dive — init, clone, add, commit, push, branching, and conventional commits. The foundation for all CI/CD pipelines.

git init git commit git push GitHub

📌 Bonus — Real Incident Patterns

Networking error patterns explained

Symptom	Most Likely Cause	First Command to Run
curl: (6) Could not resolve host	DNS failure — domain not resolving	dig +short domain.com
curl: (7) Failed to connect	Port closed, firewall blocking, app not running	nc -zv host port
curl: (28) Operation timed out	Firewall silently dropping packets, or very slow response	traceroute host
SSL: certificate verify failed	Expired cert, self-signed, or wrong domain	openssl s_client -connect h:443
HTTP 502 Bad Gateway	Upstream app server crashed or returned garbage	curl http://appserver:8080/health
HTTP 503 Service Unavailable	Load balancer health check failing — app down	systemctl status myapp
HTTP 504 Gateway Timeout	App responds but too slowly (DB query, CPU spike)	top then check DB slow query log
HTTP 401 Unauthorized	Missing or invalid auth token/session	curl -H "Authorization: Bearer ..." url
HTTP 403 Forbidden	Auth OK but no permission — check RBAC/IAM	Check cloud IAM policies / K8s RBAC
HTTP 429 Too Many Requests	Rate limiting triggered	Check Retry-After header in response
DNS works but connection fails	Firewall blocking traffic at L4	Test-NetConnection h -Port p
Works locally but fails from CI	Private DNS / VPN not configured in CI	Check CI environment network config

📌 Windows Reference

Windows networking — native commands

🪟 PowerShell — Full Network Toolkit

# === Connectivity ===
ping google.com -n 4               # 4 pings
tracert google.com                 # trace route
Test-NetConnection google.com -Port 443
Test-NetConnection google.com -Port 443 -InformationLevel Detailed

# === DNS ===
Resolve-DnsName google.com
Resolve-DnsName -Name google.com -Type A
Resolve-DnsName -Name google.com -Server 8.8.8.8
ipconfig /flushdns               # clear DNS cache
ipconfig /displaydns             # show cached DNS

# === Ports / Connections ===
netstat -an
netstat -ano                     # with PID
Get-NetTCPConnection -State Listen
Get-NetTCPConnection | Where-Object LocalPort -eq 8080

# === HTTP (real curl on Win10+) ===
curl.exe -I https://google.com
curl.exe -v https://httpbin.org/get
curl.exe -o NUL -s -w "%{http_code}" https://google.com
curl.exe -X POST https://httpbin.org/post -H "Content-Type: application/json" -d '{\"key\":\"val\"}'

# === TLS Certificate ===
$r = [Net.HttpWebRequest]::Create("https://google.com")
$r.GetResponse() | Out-Null
Write-Host "Expires: $($r.ServicePoint.Certificate.GetExpirationDateString())"
Write-Host "Issuer:  $($r.ServicePoint.Certificate.Issuer)"

🪟 WSL2 Advantage

Inside WSL2, all Linux networking commands work identically:
dig, curl, nc, openssl, ss, netstat, traceroute

Recommendation: do all networking debugging from WSL2. The commands will be identical to what you run on production Linux servers.

Windows Firewall Check

Get-NetFirewallRule | Where-Object Enabled -eq True | Select-Object DisplayName, Direction, Action | Format-Table

Check if Windows Firewall is blocking a port:
Test-NetConnection localhost -Port 8080

💡 Windows hosts file

Equivalent to Linux /etc/hosts:
C:\Windows\System32\drivers\etc\hosts
Edit with Notepad as Administrator. Add: 127.0.0.1 myapp.local

🎉 Week 1 Complete!

Week 1 — Foundation Review

Day	Topic	Key Skill Gained	Lab Output
Day 1	What is DevOps?	CALMS, DORA metrics, Infinity Loop	DORA baseline document
Day 2	DevOps Toolchain	Tool landscape, 3 stacks, toolkit setup	Git + Docker + VS Code installed
Day 3	Agile + DevOps	Scrum, Kanban, DevOps "Done" definition	GitHub Project Kanban board
Day 4	Linux for DevOps	20 commands, permissions, shell scripting	sysinfo.sh script committed
Day 5	Networking	DNS, HTTP codes, TLS, curl, netstat	Networking notes + debug commands

Week 1 → Week 2 Bridge

Week 1 was culture + foundations. Starting Day 6, we go deep into tools. Week 2 is entirely Git — the single most important DevOps tool. Every pipeline, every IaC change, every deployment you'll do in the next 30 days is triggered by a git push.

Week 2 Preview — Days 6–10

Day 6 — Git Fundamentals (commit, push, pull)
Day 7 — Branching Strategies (GitFlow, GitHub Flow, Trunk-based)
Day 8 — Pull Requests & Code Review
Day 9 — Git Hooks & Automation (Husky, lint-staged)
Day 10 — Git Advanced Lab (rebase, cherry-pick, bisect)